CentOS - Apr 2006 - Centos as a network recorder and request

I am looking at using CentOS to use as a network recorder to enhance our
security analysis. During my research I found that the linux kernel (not
CentOS specific) has a bad problem of dropping packets on gigabit
connections. This problem exists even on a dual xeon system with 1gb ram
using a minimal install. Once I found the ethereal performance wiki I
realized the problem was not in the system but in the manner in which
packets are moved from the kernel to userland.

http://wiki.ethereal.com/Performance


The only solution I can find to address this is a kernel patch called
pf_ring
http://www.ntop.org/PF_RING.html


I would prefer to not recompile the kernel and instead stay with the
supportable baseline provided by centos. But, in order to reduce dropped
packets, having pf_ring compiled into the kernel appears to be my only
solution unless someone here knows another way they want to share.

I did some mailling list and forum archive research on recompiling the
kernel and followed (for awhile) the 'newbie kernel question' thread in
hopes of finding some answers on how to do this using the centos sources
without going to kernel.org.
>From what I gather recompiling is not recommended (understandable from a
support viewpoint) so is there enough interest from the CentOS community
(and from the CentOS team) to request this to be added, maybe as a
separate branch like the 64bit iso's?

If not, again understandable as that would be yet 1 more branch to
support, then would someone please provide  link/links to more
information on recompiling the centos kernel.src.rpm? Googling I found
all kinds of information but it either dealt with the 2.4 branch, 2.6
when it was still in testing (digital hermit), involved other distros
(Installing PF_RING and nProbe on Fedora Core 4), or was for stock
RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I
do not want to assume the compile process is the same and end up
shooting myself in the foot.

Having a process that can be followed for CentOS 4.3 to add
functionality to the stock kernel would be a great edition for people
like me who have had no need in the past to recompile the kernel or
roll-their-own (yeah I looked at linux from scratch too as an option).

As a side note, based on some of the previous threads involving centos
4.3 and compiling kernels my timing for this post is probably not the
best. It is not my intention to start more arguing but to simply pose my
current problem and seek assistance from the CentOS community for a
solution.

Thanks,

Greg

On Tue, 2006-04-18 at 08:26 -0500, King, John (Greg) (LMIT-HOU)
wrote:
> I am looking at using CentOS to use as a network recorder to enhance our
> security analysis. During my research I found that the linux kernel (not
> CentOS specific) has a bad problem of dropping packets on gigabit
> connections. This problem exists even on a dual xeon system with 1gb ram
> using a minimal install. Once I found the ethereal performance wiki I
> realized the problem was not in the system but in the manner in which
> packets are moved from the kernel to userland.
> 
> http://wiki.ethereal.com/Performance
> 
> 
> The only solution I can find to address this is a kernel patch called
> pf_ring
> http://www.ntop.org/PF_RING.html
> 
> 
> I would prefer to not recompile the kernel and instead stay with the
> supportable baseline provided by centos. But, in order to reduce dropped
> packets, having pf_ring compiled into the kernel appears to be my only
> solution unless someone here knows another way they want to share.
> 
> I did some mailling list and forum archive research on recompiling the
> kernel and followed (for awhile) the 'newbie kernel question'
thread in
> hopes of finding some answers on how to do this using the centos sources
> without going to kernel.org.
> 
> >From what I gather recompiling is not recommended (understandable from
a
> support viewpoint) so is there enough interest from the CentOS community
> (and from the CentOS team) to request this to be added, maybe as a
> separate branch like the 64bit iso's?
> 
> If not, again understandable as that would be yet 1 more branch to
> support, then would someone please provide  link/links to more
> information on recompiling the centos kernel.src.rpm? Googling I found
> all kinds of information but it either dealt with the 2.4 branch, 2.6
> when it was still in testing (digital hermit), involved other distros
> (Installing PF_RING and nProbe on Fedora Core 4), or was for stock
> RedHat Enterprise and although CentOS uses the src.rpms from RedHat, I
> do not want to assume the compile process is the same and end up
> shooting myself in the foot.
> 
> Having a process that can be followed for CentOS 4.3 to add
> functionality to the stock kernel would be a great edition for people
> like me who have had no need in the past to recompile the kernel or
> roll-their-own (yeah I looked at linux from scratch too as an option).
> 
> As a side note, based on some of the previous threads involving centos
> 4.3 and compiling kernels my timing for this post is probably not the
> best. It is not my intention to start more arguing but to simply pose my
> current problem and seek assistance from the CentOS community for a
> solution.
No ... in this case, you have a reason that might require a recompiled
kernel.

Sometimes, it is required ... and in those cases, it is the only choice.

We can't add functionality to the standard kernel ... we make our just
like the upstream one on purpose.  If it is broken upstream, we have the
same breaks :)  That is what the people who run CentOS want ... they
want it the same.

This is a temporary link for the wiki entry for recompiling the
kernel ... and it will probably change in the future:

http://wiki.centos.org/centoswiki/I_need_the_Kernel_Source

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060418/db6fc979/attachment.sig>