Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Short question, maybe someone can give me some information;
I am working on 2 Snort installations; one on Windows (2000) platform, one
on Redhat 9
In documentation of Snort for Windows, they talk about large fragmentation
due to the extensive logging of snort.
I believe in linux, fragmentation is not such an issue because of type of
file system. However, I am not quite sure.
If fragmentation can become an issue after some time, what tools can be used
to 'defrag' ?
Please advice.


Utrecht, Netherlands

Re: fragmentation?

On Wed, 25 May 2005 10:43:04 +0200, RO|_F wrote:

Quoted text here. Click to load it

There is (was?) a defrag utility that can be used on ext2 filesystems for
those who feel that they must defrag. I have never seen a defrag program
for a journalling filesystem though. If it were a problem, surely someone
would have noticed and added a defrag program by now. I wouldn't worry
about fragmentation and Linux.

Re: fragmentation?

Quoted text here. Click to load it

I've FAQed this question and its answer.  Please see:
"Defragmenting" on

Cheers,                        Open-source SourceForge retakes the lead:
Rick Moen             Thank you, Tim Perdue.  

Re: fragmentation?

Quoted text here. Click to load it

Thanks. This was really helpfull!
(i.e. I don't have to worry about fragmentation with linux!)

Re: fragmentation?

Quoted text here. Click to load it

If you reach, say, 90% full on a filesystem, but keep
writing/erasing/rewriting large files, _that_ is when you will tend to
have fragmentation build-up.  Otherwise, normally no.

Re: fragmentation?

Quoted text here. Click to load it

Even if it's highly fragmented, you'll rarely gain more than 25% boost in
performance by defragging for most linux filesystems.  Unlike fat32 where
you can gain many times 100% better performance.

ext2 does have e2defrag which is part of the defrag package in my debian
system.  I've used it, but most of what you gain is a little drive space
from more efficient use of the device.  And running updatedb plus ldconfig
seems to help about as much if not more in the efficiency department.  But
I don't run cron and therefor don't run the run-parts job that runs those
on a daily basis.

You can always tar up the partition, mkfs, then untar it back in most
cases.  And in many respects this is better and more efficient than most
defrag programs.  Of course tar assumes you have another partition/drive
to use that is large enough to handle the process.  

Many put /var/log/ and others on their own partitions to avoid
fragmentation where it counts.  As well overcoming other issues which is
probably more of a motivator than fragmentation.



In snort, fragmentation has to do with data packet fragmentation.
Fragmentation occurs when the data packet is too big to be handled by
the router (usually 1500) and is then fragmanted.

Example: You make a FTP connection to a server and begin transferring
a file. One packet is 1800 in size and is too big to be passed across
the router, so the router then breaks it up into several smaller
packets (like 2 packets that are 1000 each, keep in mind that they
will be bigger then the origional packet because you have a
overhead). Then when the packet arrives at its destination that are

What snort is referring to is that fragmentation can be used to bypass
firewall ACL's (Access Control Lists). Some firewalls cannot handle
fragmented packets very well and will pass them through restricted

Example: If the router does not reassemble the packet and inspect it
then bad things can happen. Say the fragmentation is just after the
destination address and the rest of the packet contains all of the
data, when it hits the firewall and the firewall does not reassemble
the packet then it sees that the packet is destined for somewhere
inside it's own network and let's it pass since it doesn't know where
it came from. Then the rest of the packet comes along and tells the
firewall that the rest of itself is already at it's destination
inside the network and the firewall let's it through.

So, getting back to the question, you want snort ot reassembe packets.
As for large files on the disk I think that has been addressed.

Site Timeline