[Snort-devel] 2GB maximum binary log file size...

Abe L. Getchell abegetchell at ...243...
Mon Nov 12 15:46:02 EST 2001

Hi Chris,

Tried the #define you included in your e-mail, no dice.  Snort core
dumped and printed an error message to the console when the binary log
file reached 2GB; exactly the same as before.  So, while doing some
further research and poking around the libc info pages, I found:

     This macro determines which file system interface shall be used,
     one replacing the other.  Whereas `_LARGEFILE64_SOURCE' makes the
     64 bit interface available as an additional interface,
     `_FILE_OFFSET_BITS' allows the 64 bit interface to replace the old

     If `_FILE_OFFSET_BITS' is undefined, or if it is defined to the
     value `32', nothing changes.  The 32 bit interface is used and
     types like `off_t' have a size of 32 bits on 32 bit systems.

     If the macro is defined to the value `64', the large file interface
     replaces the old interface.  I.e., the functions are not made
     available under different names (as they are with
     `_LARGEFILE64_SOURCE').  Instead the old function names now
     reference the new functions, e.g., a call to `fseeko' now indeed
     calls `fseeko64'.

     This macro should only be selected if the system provides
     mechanisms for handling large files.  On 64 bit systems this macro
     has no effect since the `*64' functions are identical to the
     normal functions.

     This macro was introduced as part of the Large File Support
     extension (LFS).

So I tried '#define _FILE_OFFSET_BITS 64' in snort.h.  No dice _again_.
Still doesn't work.  Everything compiles fine, no warnings or errors,
but snort still exhibits the same behavior when the binary log file
reaches 2GB.  Anyone know why this #define seemingly isn't working?
According to everything I read in the libc info pages and on various
sites on the web, this should have fixed it.


Abe L. Getchell
Security Engineer
abegetchell at ...243...

> -----Original Message-----
> From: Chris Green [mailto:cmg at ...81...] 
> Sent: Monday, November 12, 2001 10:02 AM
> To: abegetchell at ...243...
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] 2GB maximum binary log file size...
> "Abe L. Getchell" <abegetchell at ...243...> writes:
> >
> > Is there any good reason why the "magic #define" or the new LFS 
> > interfaces aren't used in Snort?  This added file size 
> limit would be 
> > very handy for those of us using Snort which are grabbing 
> mass amounts 
> > of data off of high volume networks.
> No one has really brought it up yet AFAIK.  You might wish to 
> try the magic define approach until a proper solution can be 
> worked out...
> Are the open64's/etc. supposed to be used on Solaris as well? 
>  What other OSes support it?  
> Try
> #define __USE_FILE_OFFSET64 in snort.h and it should get 
> propigated everywhere.
> -- 
> Chris Green <cmg at ...81...>
> This is my signature. There are many like it but this one is mine.

More information about the Snort-devel mailing list