[Snort-users] improving performance of the defrag module

Austad, Jay austad at ...432...
Fri Jan 19 10:30:02 EST 2001

When I use the defrag module, it maxes out the CPU on a PIII 733 when I'm
sniffing a 25Mb/sec link.  I was looking at the source, and I found this:

#define FRAGTIMEOUTSEC      10      /* 10 seconds let's play safe for now */
#define FRAGTIMEOUTUSEC      0      /* 0 micro seconds                  */
#define FASTSWEEPLIM      16000000      /* memory use threhold for fast
sweep */

If I reduce the FRAGTIMEOUTSEC from 10 down to something like 2, won't the
keep the size of the splay tree smaller and reduce search times?  Will
either of the other 2 settings do anything useful for me?


