[Snort-users] Large receive offload, good or bad?

elof at ...6680... elof at ...6680...
Thu Aug 30 05:25:40 EDT 2012


Snort says:

"FYI: Please note that, by default, snort will truncate packets larger 
than the default snaplen of 15158 bytes.  Additionally, LRO may cause issues 
with Stream5 target-based reassembly.  It is recommended to disable LRO, 
if your card supports it."


Questions:

LRO sounds like a good thing - aggregating multiple incoming packets from 
a single stream into a larger buffer before they are passed higher up the 
networking stack will reduce CPU overhead.

If one does not use target-based reassembly in snort, can/should LRO be 
enabled? What's you opinion?

Is there any other reasons to disable LRO?

Otherwise I think LRO should be enabled by default...

/Elof




More information about the Snort-users mailing list