[CentOS] Centos as a network recorder and request

King, John (Greg) (LMIT-HOU)

Greg.King at lmit.com
Tue Apr 18 13:26:36 UTC 2006


I am looking at using CentOS to use as a network recorder to enhance our
security analysis. During my research I found that the linux kernel (not
CentOS specific) has a bad problem of dropping packets on gigabit
connections. This problem exists even on a dual xeon system with 1gb ram
using a minimal install. Once I found the ethereal performance wiki I
realized the problem was not in the system but in the manner in which
packets are moved from the kernel to userland.

http://wiki.ethereal.com/Performance


The only solution I can find to address this is a kernel patch called
pf_ring
http://www.ntop.org/PF_RING.html


I would prefer to not recompile the kernel and instead stay with the
supportable baseline provided by centos. But, in order to reduce dropped
packets, having pf_ring compiled into the kernel appears to be my only
solution unless someone here knows another way they want to share.

I did some mailling list and forum archive research on recompiling the
kernel and followed (for awhile) the 'newbie kernel question' thread in
hopes of finding some answers on how to do this using the centos sources
without going to kernel.org.

>From what I gather recompiling is not recommended (understandable from a
support viewpoint) so is there enough interest from the CentOS community
(and from the CentOS team) to request this to be added, maybe as a
separate branch like the 64bit iso's?

If not, again understandable as that would be yet 1 more branch to
support, then would someone please provide  link/links to more
information on recompiling the centos kernel.src.rpm? Googling I found
all kinds of information but it either dealt with the 2.4 branch, 2.6
when it was still in testing (digital hermit), involved other distros
(Installing PF_RING and nProbe on Fedora Core 4), or was for stock
RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I
do not want to assume the compile process is the same and end up
shooting myself in the foot.

Having a process that can be followed for CentOS 4.3 to add
functionality to the stock kernel would be a great edition for people
like me who have had no need in the past to recompile the kernel or
roll-their-own (yeah I looked at linux from scratch too as an option).

As a side note, based on some of the previous threads involving centos
4.3 and compiling kernels my timing for this post is probably not the
best. It is not my intention to start more arguing but to simply pose my
current problem and seek assistance from the CentOS community for a
solution.

Thanks,

Greg




More information about the CentOS mailing list