I am looking at using CentOS to use as a network recorder to enhance our security analysis. During my research I found that the linux kernel (not CentOS specific) has a bad problem of dropping packets on gigabit connections. This problem exists even on a dual xeon system with 1gb ram using a minimal install. Once I found the ethereal performance wiki I realized the problem was not in the system but in the manner in which packets are moved from the kernel to userland.
http://wiki.ethereal.com/Performance
The only solution I can find to address this is a kernel patch called pf_ring http://www.ntop.org/PF_RING.html
I would prefer to not recompile the kernel and instead stay with the supportable baseline provided by centos. But, in order to reduce dropped packets, having pf_ring compiled into the kernel appears to be my only solution unless someone here knows another way they want to share.
I did some mailling list and forum archive research on recompiling the kernel and followed (for awhile) the 'newbie kernel question' thread in hopes of finding some answers on how to do this using the centos sources without going to kernel.org.
From what I gather recompiling is not recommended (understandable from a
support viewpoint) so is there enough interest from the CentOS community (and from the CentOS team) to request this to be added, maybe as a separate branch like the 64bit iso's?
If not, again understandable as that would be yet 1 more branch to support, then would someone please provide link/links to more information on recompiling the centos kernel.src.rpm? Googling I found all kinds of information but it either dealt with the 2.4 branch, 2.6 when it was still in testing (digital hermit), involved other distros (Installing PF_RING and nProbe on Fedora Core 4), or was for stock RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I do not want to assume the compile process is the same and end up shooting myself in the foot.
Having a process that can be followed for CentOS 4.3 to add functionality to the stock kernel would be a great edition for people like me who have had no need in the past to recompile the kernel or roll-their-own (yeah I looked at linux from scratch too as an option).
As a side note, based on some of the previous threads involving centos 4.3 and compiling kernels my timing for this post is probably not the best. It is not my intention to start more arguing but to simply pose my current problem and seek assistance from the CentOS community for a solution.
Thanks,
Greg