1. change ldflags to include pfring shared lib. Newer versions of pf_ring seem to depend on librt (-lrt ) so id say try with or without up to you.
In src/Makefile change
LDFLAGS+=-lpcap -lpcre -lresolv
to
LDFLAGS+=-lpcap -lpcre -lresolv -lpfring -lrt
2. Add header includes and api call to change packet polling watermark from 1 to 128. I found that without this prads will still have high (but lower) load and will generate tons of context switches polling the ring all the time.
src/prads.c
#include "dhcp.h"
+#include <pcap.h>
+#include <pcap/pcap.h>
+#include <pfring.h>
//#include "output-plugins/log_init.h"
and
olog("[*] Sniffing...\n");
+ pcap_set_watermark(config.handle, 128);
pcap_loop(config.handle, -1, got_packet, NULL);
game_over();
Also you can set clusters up by using the PF_RING libpcap environment variables like
PCAP_PF_RING_APPNAME=
PCAP_PF_RING_USE_CLUSTER_PER_FLOW_5_TUPLE=
PCAP_PF_RING_RSS_REHASH=
PCAP_PF_RING_CLUSTER_ID=
For more options try
strings /usr/local/lib/libpcap.so.1.1.1 | grep PCAP_
or wherever your pcap is.
++++++++++++SNIP++++++++++++++
diff --git a/Makefile b/Makefile
index 9c8b550..36a49e2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
PREFIX=/usr/local
BINDIR=${PREFIX}/bin
-CONFDIR=${PREFIX}/etc/prads
+CONFDIR=/etc/prads
MANDIR=${PREFIX}/share/man/man1
DOCUTIL=rst2man
INSTALLGROUP=root
diff --git a/src/Makefile b/src/Makefile
index ee0cf37..da040b8 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -32,7 +32,7 @@ endif
ifeq (${TCMALLOC},y)
LDFLAGS+=-ltcmalloc
endif
-LDFLAGS+=-lpcap -lpcre -lresolv
+LDFLAGS+=-lpcap -lpcre -lresolv -lpfring -lrt
CFLAGS+=-DCONFDIR='"${CONFDIR}/"'
else
@@ -68,7 +68,7 @@ ifneq (${DEBUG_PACKET},)
CFLAGS+= -DDEBUG_PACKET
endif
ifeq ($(UNAME), FreeBSD)
-LDFLAGS= -L/usr/local/lib -lpcre -lpcap
+LDFLAGS= -L/usr/local/lib -lpcre -lpcap -lpfring -lrt
CPPFLAGS= -I/usr/local/include
endif
diff --git a/src/prads.c b/src/prads.c
index 34503fc..5c10398 100644
--- a/src/prads.c
+++ b/src/prads.c
@@ -41,6 +41,9 @@
#include "tcp.h"
#include "dump_dns.h"
#include "dhcp.h"
+#include <pcap.h>
+#include <pcap/pcap.h>
+#include <pfring.h>
//#include "output-plugins/log_init.h"
#include "output-plugins/log.h"
@@ -1466,6 +1469,7 @@ int main(int argc, char *argv[])
cxt_init();
olog("[*] Sniffing...\n");
+ pcap_set_watermark(config.handle, 128);
pcap_loop(config.handle, -1, got_packet, NULL);
game_over();
That is the main reason I continue to use prads. With pf_ring libpcap you can enable load balancing using the PCAP_PF_RING_CLUSTER_ID environment variable.
Use the same ID integer for instances you want to share a load.