Hi Luca,
Sure, I'd be happy to contribute to the ntop blog and update the PF_RING
readme file for snort. I'm only able to address i386 and x86_64
platforms running the latest CentOS 5 though. What kind of blog article
were you envisioning? Perhaps a "Building CentOS 5 packages against
PF_RING" page in which I contribute my install processes for the tools
I've compiled against PF_RING? Then perhaps others could add comments
featuring other tools they figured out how to build against PF_RING?
Just let me know how to proceed.
Kevin
On 2/12/2010 5:14 PM, Luca Deri wrote:
Hello
would you be willing to write a page on the ntop blog or update the readme file
I have written for snort?
Regards Luca
On Feb 12, 2010, at 4:07 PM, The Branches wrote:
Peter,
I had a dickens of a time getting that one right but with some help along the
away I arrived at this method that works, at least on CentOS 5 platforms.
The process assumes you have checked out PF_RING to /opt/PF_RING. It also assumes you are not doing any
"make install" stuff of the "lib" or "libpcap-1.0.0-ring" parts of the PF_RING
package. This means we aren't interfering with other apps that use libpcap but don't need PF_RING.
If anyone has any improvements to offer on this method, I'm all ears.
I use a similar method to successfully build daemonlogger and argus against
PF_RING and am happy to share details upon request.
Maybe we could put a Wiki page somewhere on how to build popular apps against
PF_RING?
Building snort against PF_RING
cd /opt/PF_RING/userland
wget http://dl.snort.org/snort-current/snort-2.8.5.2.tar.gz
tar zxvf snort-2.8.5.2.tar.gz
cd snort-2.8.5.2
LD_LIBRARY_PATH=/opt/PF_RING/userland/libpcap-1.0.0-ring:/root/packages/PF_RING/userland/lib
LD_RUN_PATH=/opt/PF_RING/userland/libpcap-1.0.0-ring:/opt/PF_RING/userland/lib
export LD_LIBRARY_PATH
export LD_RUN_PATH
./configure --with-libpcap-includes=/opt/PF_RING/userland/libpcap-1.0.0-ring/ \
--with-libpcap-libraries=/opt/PF_RING/userland/libpcap-1.0.0-ring/ \
--with-libpfring-includes=/opt/PF_RING/userland/lib \
--with-libpfring-libraries=/opt/PF_RING/userland/lib \
LDFLAGS="-L/opt/PF_RING/userland/lib -L/opt/PF_RING/userland/libpcap-1.0.0-ring
-lpfring -lpcap"
make
make install
On 2/12/2010 9:27 AM, Peter Bates wrote:
Hello again all...
Replying to my own message in this case.
I do realize this is technically a Snort problem as I have a happy
copy of tcpdump and pfcount and have also compiled another application
(ipaudit) against pfring and the modified libpcap.
I have updated from svn and am trying again, mostly following the
instructions from ntop.org and PF_RING/userland/README.snort.
I follow those instructions:
Prerequisites
# cd PF_RING/kernel
# make
# sudo make install
I can see:
Feb 12 10:46:07 netman3 kernel: [176840.220281] [PF_RING] Welcome to PF_RING
4.1.2 ($Revision: 4132$)
and I have /proc/net/pf_ring.
Snort
# download snort source (e.g. into ~/Downloads/snort-2.8.5.1.tar.gz)
# cd PF_RING/userland
# tar xvfz ~/Downloads/snort-2.8.5.1.tar.gz
# cd snort-2.8.5.1/
# ./configure --with-libpcap-includes=../libpcap-1.0.0-ring/ --with-libpcap-libr
aries=../libpcap-1.0.0-ring/ -with-libpfring-includes=../lib --with-libpfring-li
braries=../lib LDFLAGS="-lpfring -lpcap"
# make
Snort is 2.8.5.2 so I've downloaded that version.
The configure line is missing a '-' in the libpfring-includes
- but when I fix that, I get:
checking for gcc... gcc
checking for C compiler default output file name...
configure: error: C compiler cannot create executables
See `config.log' for more details.
Which is because of:
configure:2941: checking for C compiler default output file name
configure:2968: gcc -lpfring -lpcap conftest.c>&5
/usr/bin/ld: cannot find -lpfring
collect2: ld returned 1 exit status
As I say, I realize this is more Snort failing to compile than anything to do
with
PF_RING but if anyone has done this recently I'd appreciate it you could help
as to why I'm having problems with this - my next stop is to try on the Snort
list.
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
---
"Debugging is twice as hard as writing the code in the first place. Therefore,
if you write the code as cleverly as possible, you are, by definition, not smart
enough to debug it. - Brian W. Kernighan
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
