
1. PF_RING 安装


A clean install, no other packages were installed other than mentioned(提到).


1. Uninstall libpcap and other dependent applications/library using apt-get



2. Install subversion(Get latest source codes)

flex and bison(Required to recompile pf_ring aware pcap)

ethtool(if not preinstalled, required for some basic Nic info of your computer)

sudo apt-get install subversion flex bison ethtool

3. Use Subversion to fetch source codes

svn co PF_RING



4. Check your current network card/driver using ethtool

 #change eth0 to your ethernet card
ethtool -i eth0



driver: e1000e

version: 1.0.2-k2

firmware-version: 0.4-3

bus-info: 0000:00:19.0


Note: The modified device drivers for some of the popular network cards can be found in PF_RING/drivers.


5. Unload the ethernet card driver(this is shown in the first line of output of above command)


sudo rmmod e1000e




6. Change current working directory to kernel


cd PF_RING/kernel


7. Make the source codes 





8. Now install the newly build source


sudo make install




9. Change the working directory to PF_RING/userland/lib

cd ../userland/lib


10. Again build the source codes



11. Install the library(This include pfring.h)

sudo make install 

[注意] 在最新版本没有出现pfring_e1000e_dna.c和pfring_e1000e_dna.h这两个文件

12. One bizerre(奇异) thing  that I observed(观察) is that the make install copies pfring.h to /usr/local/include but leaves the other dependent files these are:

 1. pfring_e1000e_dna.c

 2. pfring_e1000e_dna.h


13. Although the function in these files are not required in much of the program, they are include in pfring.h and i don't want to mess up with that.So we copy this to /usr/local/include.


cp pfring_e1000e_dna.c /usr/local/include
cp pfring_e1000e_dna.h /usr/local/include




14. Now we have to compile PF_RING aware pcap library. Change the working directory to userland/libpcap-1.0.0-ring


cd ../libpcap-1.0.0-ring/



15. Configure





16. Build the sources




17. Install pf_ring aware(知道) libpcap


sudo make install


[安装PF_RING可用设备驱动, 选择适合本机的]

18. Now we need to install the device driver(pf_ring aware). Change the working directory to drivers///src

In my case it is "drivers/intel/e1000e-1.0.15/src"


cd ../../drivers/intel/e1000e-1.0.15/src


19. Build the source





20. Install the driver


sudo make install



21. Now we need to activate PF_RING if its not already activated. You can use Ismod to check if pf_ring is started or not.

Change the working directory to /lib/modules//kernel/net/pf_ring

Use uname -r to get  the kernel version 


cd /lib/modules/2.6.31-14-generic/kernel/net/pf_ring


22. Enable PF_RING(if already enabled you can disable it using sudo rmmod pf_ring)


sudo insmod pf_ring.ko transparent_mode=1




   • transparent_mode=0 (default)

      Packets are received via the standard Linux interface. Any driver can use this mode.  

   • transparent_mode=1 (Both vanilla and PF_RING-aware drivers)

      Packets are memcpy() to PF_RING and also to the standard Linux path.

   • transparent_mode=2 (PF_RING -aware drivers only)

      Packets are ONLY memcpy() to PF_RING and not to the standard Linux path (i.e. tcpdump won't see


The higher is the transparent_mode value, the faster it gets packet capture.




Other parameters:

   • min_num_slots

     Min number of ring slots (default — 4096).

   • enable_tx_capture

     Set to 1 to capture outgoing packets, set to 0 to disable capture outgoing packets (default — RX+TX).

   • enable_ip_defrag

     Set to 1 to enable IP defragmentation, only rx traffic is defragmented.



More on transparent mode can be found at



23. Now enable to enable your driver go to /lib/modules//kernel/drivers/net/e1000e


cd /lib/modules/2.6.31-14-generic/kernel/drivers/net/e1000e


24. Enable the driver


sudo insmod e1000e.ko


25. Now you can start working on your PF_RING application.

Note: You will have to recompile many applications such as tcpdump(modified included), network manager etc. Google for doing so.


2. PF_RING demo



Checking PF_RING Device Configuration

When PF_RING is activated, a new entry /proc/net/pf_ring is created.


cat /proc/net/pf_ring/info


cat /proc/net/pf_ring/plugins_info



libpfring and libpcap is necessary to link you PF_RING-enabled applications also against the -lpthread library.













