CapabilitiesΒΆ
In order to run a raw capture with PF_RING, you need to run as privileged user or set the proper capabilities to the application.
PF_RING used to check the CAP_SYS_ADMIN capability, however since kernel 3.8 the CAP_SYS_RAW capability is required.
Example on latest kernels:
sudo setcap cap_net_raw+eip /usr/bin/pfcount
On kernel <3.8:
sudo setcap cap_net_admin+eip /usr/bin/pfcount
If you are using ZC drivers, CAP_IPC_LOCK and CAP_SYS_ADMIN are also required:
sudo setcap cap_net_raw,cap_ipc_lock,cap_sys_admin+eip /usr/bin/pfcount
Note: if your application is not capturing from a ZC interface directly (e.g. it is capturing from a ZC queue created by zbalance_ipc), the CAP_SYS_ADMIN capability is not required.
If you are running an application based on the PF_RING ZC API (e.g. zcount), hugepages permissions are also required. A common practice to create a group for hugepages users and set the GID when mounting the hugetlb mountpoint:
mount -t hugetlbfs -o gid=1002 nodev /dev/hugepages
Please note that you can set the GID in the pf_ring hugepages configuration file to automatically mount the hugetlb filesystem with the right permissions:
echo "node=0 hugepagenumber=1024 gid=1002" > /etc/pf_ring/hugepages.conf
Please also note that the a ZC application using hugepages, needs to translate virtual addresses to physical addresses. For this reason it needs to access /proc/self/pagemap, however on some kernel versions (e.g. 4.0 and 4.1) opening this file by unprivileged processes leads to failures with -EPERM for security reasons, while on other kernels the CAP_SYS_ADMIN capability is usually enough.