[CentOS] Centos as a network recorder and request

Tue Apr 18 19:51:47 UTC 2006
Johnny Hughes <mailing-lists at hughesjr.com>

On Tue, 2006-04-18 at 08:26 -0500, King, John (Greg) (LMIT-HOU) wrote:
> I am looking at using CentOS to use as a network recorder to enhance our
> security analysis. During my research I found that the linux kernel (not
> CentOS specific) has a bad problem of dropping packets on gigabit
> connections. This problem exists even on a dual xeon system with 1gb ram
> using a minimal install. Once I found the ethereal performance wiki I
> realized the problem was not in the system but in the manner in which
> packets are moved from the kernel to userland.
> 
> http://wiki.ethereal.com/Performance
> 
> 
> The only solution I can find to address this is a kernel patch called
> pf_ring
> http://www.ntop.org/PF_RING.html
> 
> 
> I would prefer to not recompile the kernel and instead stay with the
> supportable baseline provided by centos. But, in order to reduce dropped
> packets, having pf_ring compiled into the kernel appears to be my only
> solution unless someone here knows another way they want to share.
> 
> I did some mailling list and forum archive research on recompiling the
> kernel and followed (for awhile) the 'newbie kernel question' thread in
> hopes of finding some answers on how to do this using the centos sources
> without going to kernel.org.
> 
> >From what I gather recompiling is not recommended (understandable from a
> support viewpoint) so is there enough interest from the CentOS community
> (and from the CentOS team) to request this to be added, maybe as a
> separate branch like the 64bit iso's?
> 
> If not, again understandable as that would be yet 1 more branch to
> support, then would someone please provide  link/links to more
> information on recompiling the centos kernel.src.rpm? Googling I found
> all kinds of information but it either dealt with the 2.4 branch, 2.6
> when it was still in testing (digital hermit), involved other distros
> (Installing PF_RING and nProbe on Fedora Core 4), or was for stock
> RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I
> do not want to assume the compile process is the same and end up
> shooting myself in the foot.
> 
> Having a process that can be followed for CentOS 4.3 to add
> functionality to the stock kernel would be a great edition for people
> like me who have had no need in the past to recompile the kernel or
> roll-their-own (yeah I looked at linux from scratch too as an option).
> 
> As a side note, based on some of the previous threads involving centos
> 4.3 and compiling kernels my timing for this post is probably not the
> best. It is not my intention to start more arguing but to simply pose my
> current problem and seek assistance from the CentOS community for a
> solution.

No ... in this case, you have a reason that might require a recompiled
kernel.

Sometimes, it is required ... and in those cases, it is the only choice.

We can't add functionality to the standard kernel ... we make our just
like the upstream one on purpose.  If it is broken upstream, we have the
same breaks :)  That is what the people who run CentOS want ... they
want it the same.

This is a temporary link for the wiki entry for recompiling the
kernel ... and it will probably change in the future:

http://wiki.centos.org/centoswiki/I_need_the_Kernel_Source

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060418/db6fc979/attachment-0005.sig>