King, John (Greg) (LMIT-HOU)
2006-Apr-18 13:26 UTC
[CentOS] Centos as a network recorder and request
I am looking at using CentOS to use as a network recorder to enhance our security analysis. During my research I found that the linux kernel (not CentOS specific) has a bad problem of dropping packets on gigabit connections. This problem exists even on a dual xeon system with 1gb ram using a minimal install. Once I found the ethereal performance wiki I realized the problem was not in the system but in the manner in which packets are moved from the kernel to userland. http://wiki.ethereal.com/Performance The only solution I can find to address this is a kernel patch called pf_ring http://www.ntop.org/PF_RING.html I would prefer to not recompile the kernel and instead stay with the supportable baseline provided by centos. But, in order to reduce dropped packets, having pf_ring compiled into the kernel appears to be my only solution unless someone here knows another way they want to share. I did some mailling list and forum archive research on recompiling the kernel and followed (for awhile) the 'newbie kernel question' thread in hopes of finding some answers on how to do this using the centos sources without going to kernel.org.>From what I gather recompiling is not recommended (understandable from asupport viewpoint) so is there enough interest from the CentOS community (and from the CentOS team) to request this to be added, maybe as a separate branch like the 64bit iso's? If not, again understandable as that would be yet 1 more branch to support, then would someone please provide link/links to more information on recompiling the centos kernel.src.rpm? Googling I found all kinds of information but it either dealt with the 2.4 branch, 2.6 when it was still in testing (digital hermit), involved other distros (Installing PF_RING and nProbe on Fedora Core 4), or was for stock RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I do not want to assume the compile process is the same and end up shooting myself in the foot. Having a process that can be followed for CentOS 4.3 to add functionality to the stock kernel would be a great edition for people like me who have had no need in the past to recompile the kernel or roll-their-own (yeah I looked at linux from scratch too as an option). As a side note, based on some of the previous threads involving centos 4.3 and compiling kernels my timing for this post is probably not the best. It is not my intention to start more arguing but to simply pose my current problem and seek assistance from the CentOS community for a solution. Thanks, Greg
On Tue, 2006-04-18 at 08:26 -0500, King, John (Greg) (LMIT-HOU) wrote:> I am looking at using CentOS to use as a network recorder to enhance our > security analysis. During my research I found that the linux kernel (not > CentOS specific) has a bad problem of dropping packets on gigabit > connections. This problem exists even on a dual xeon system with 1gb ram > using a minimal install. Once I found the ethereal performance wiki I > realized the problem was not in the system but in the manner in which > packets are moved from the kernel to userland. > > http://wiki.ethereal.com/Performance > > > The only solution I can find to address this is a kernel patch called > pf_ring > http://www.ntop.org/PF_RING.html > > > I would prefer to not recompile the kernel and instead stay with the > supportable baseline provided by centos. But, in order to reduce dropped > packets, having pf_ring compiled into the kernel appears to be my only > solution unless someone here knows another way they want to share. > > I did some mailling list and forum archive research on recompiling the > kernel and followed (for awhile) the 'newbie kernel question' thread in > hopes of finding some answers on how to do this using the centos sources > without going to kernel.org. > > >From what I gather recompiling is not recommended (understandable from a > support viewpoint) so is there enough interest from the CentOS community > (and from the CentOS team) to request this to be added, maybe as a > separate branch like the 64bit iso's? > > If not, again understandable as that would be yet 1 more branch to > support, then would someone please provide link/links to more > information on recompiling the centos kernel.src.rpm? Googling I found > all kinds of information but it either dealt with the 2.4 branch, 2.6 > when it was still in testing (digital hermit), involved other distros > (Installing PF_RING and nProbe on Fedora Core 4), or was for stock > RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I > do not want to assume the compile process is the same and end up > shooting myself in the foot. > > Having a process that can be followed for CentOS 4.3 to add > functionality to the stock kernel would be a great edition for people > like me who have had no need in the past to recompile the kernel or > roll-their-own (yeah I looked at linux from scratch too as an option). > > As a side note, based on some of the previous threads involving centos > 4.3 and compiling kernels my timing for this post is probably not the > best. It is not my intention to start more arguing but to simply pose my > current problem and seek assistance from the CentOS community for a > solution.No ... in this case, you have a reason that might require a recompiled kernel. Sometimes, it is required ... and in those cases, it is the only choice. We can't add functionality to the standard kernel ... we make our just like the upstream one on purpose. If it is broken upstream, we have the same breaks :) That is what the people who run CentOS want ... they want it the same. This is a temporary link for the wiki entry for recompiling the kernel ... and it will probably change in the future: http://wiki.centos.org/centoswiki/I_need_the_Kernel_Source Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060418/db6fc979/attachment.sig>
Seemingly Similar Threads
- Linux Software to monitor quality of bandwidth for carrying voip traffic - suggestions please?
- PF_RING crashed the CentOS5 - BUG: soft lockup - CPU#7
- BUG: soft lockup - CPU#1 stuck for 61s!
- Cluster Analysis:build a classifier?
- Kernel panic on 6.8 release with kernel-2.6.32-642.el6.x86_64