PF_RING is software that installs a network socket allowing for “High-speed packet capture, filtering and analysis” https://www.ntop.org/products/packet-capture/pf_ring/. It is useful in applications where capturing a lot of network traffic is a requirement such as Snort or BRO IPS/IDS deployments.
When possible, I use salt to manage pf_ring deployments but manual steps are condensed from the online documentation located at https://www.ntop.org/get-started/download/#PF_RING. For the purpose of this article, we will be installing the stable package on a CentOS 7 system from http://packages.ntop.org/.
Install the epel repo
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
create a pfring.repo file in /etc/yum.repos.d/
# pf-ring repository [pfring] name=pfring gpgcheck=1 gpgkey=http://packages.ntop.org/centos-stable/RPM-GPG-KEY-deri enabled=1 baseurl=http://packages.ntop.org/centos-stable/$releasever/$basearch/ [pfring_noarch] name=pfring_noarch gpgcheck=1 gpgkey=http://packages.ntop.org/centos-stable/RPM-GPG-KEY-deri enabled=1 baseurl=http://packages.ntop.org/centos-stable/$releasever/noarch/
We only want pf_ring and the kernel module (feel free to install other ntop software: n2disk, nprobe, ntopng, ntopng-data, cento)
yum install pfring pfring-dkms
Setup management and capture interfaces in /etc/pf_ring/interfaces.conf
MANAGEMENT_INTERFACES="ens192" CAPTURE_INTERFACES="ens224"
Enable promiscuous mode on your capture interface
/sbin/ip link set ens224 promisc on
Configure modprob options in /etc/modprobe.d/pf_ring.conf. Eample below may differ from actual cards options. Run ethtool -g <dev> to check specifics.
options pf_ring enable_tx_capture=0 min_num_slots=4096
At this point if you start the pf_ring service it will automatically try to load the kernel module.
systemctl start pf_ring
Check if the kernel module is loaded
lsmod |grep pf_ring
Make sure services start on boot
systemctl enable pf_ring
Configure a systemd service to control promiscuous mode on your capture interface