[Snort-devel] 2GB maximum binary log file size...

Christopher E. Cramer chris.cramer at ...219...
Mon Nov 12 18:01:02 EST 2001


Are you logging in binary (tcpdump) format?

If so, then you may be hitting the 2GB limit in libpcap.  You might try 
recompiling libpcap with the appropriate large file magic.

To test if this is the case (without recompiling libpcap) log the packets 
in text and see if you can pass the 2GB limit.  

-Chris

On Mon, 12 Nov 2001, Abe L. Getchell wrote:

> Hi Chris,
> 
> Tried the #define you included in your e-mail, no dice.  Snort core
> dumped and printed an error message to the console when the binary log
> file reached 2GB; exactly the same as before.  So, while doing some
> further research and poking around the libc info pages, I found:
> 
>  - Macro: _FILE_OFFSET_BITS
>      This macro determines which file system interface shall be used,
>      one replacing the other.  Whereas `_LARGEFILE64_SOURCE' makes the
>      64 bit interface available as an additional interface,
>      `_FILE_OFFSET_BITS' allows the 64 bit interface to replace the old
>      interface.
> 
>      If `_FILE_OFFSET_BITS' is undefined, or if it is defined to the
>      value `32', nothing changes.  The 32 bit interface is used and
>      types like `off_t' have a size of 32 bits on 32 bit systems.
> 
>      If the macro is defined to the value `64', the large file interface
>      replaces the old interface.  I.e., the functions are not made
>      available under different names (as they are with
>      `_LARGEFILE64_SOURCE').  Instead the old function names now
>      reference the new functions, e.g., a call to `fseeko' now indeed
>      calls `fseeko64'.
> 
>      This macro should only be selected if the system provides
>      mechanisms for handling large files.  On 64 bit systems this macro
>      has no effect since the `*64' functions are identical to the
>      normal functions.
> 
>      This macro was introduced as part of the Large File Support
>      extension (LFS).
> 
> So I tried '#define _FILE_OFFSET_BITS 64' in snort.h.  No dice _again_.
> Still doesn't work.  Everything compiles fine, no warnings or errors,
> but snort still exhibits the same behavior when the binary log file
> reaches 2GB.  Anyone know why this #define seemingly isn't working?
> According to everything I read in the libc info pages and on various
> sites on the web, this should have fixed it.
> 
> Thanks,
> Abe
> 
> --
> Abe L. Getchell
> Security Engineer
> abegetchell at ...243...
> 
> 
> > -----Original Message-----
> > From: Chris Green [mailto:cmg at ...81...] 
> > Sent: Monday, November 12, 2001 10:02 AM
> > To: abegetchell at ...243...
> > Cc: snort-devel at lists.sourceforge.net
> > Subject: Re: [Snort-devel] 2GB maximum binary log file size...
> > 
> > 
> > "Abe L. Getchell" <abegetchell at ...243...> writes:
> > 
> > >
> > > Is there any good reason why the "magic #define" or the new LFS 
> > > interfaces aren't used in Snort?  This added file size 
> > limit would be 
> > > very handy for those of us using Snort which are grabbing 
> > mass amounts 
> > > of data off of high volume networks.
> > 
> > No one has really brought it up yet AFAIK.  You might wish to 
> > try the magic define approach until a proper solution can be 
> > worked out...
> > 
> > Are the open64's/etc. supposed to be used on Solaris as well? 
> >  What other OSes support it?  
> > 
> > Try
> > 
> > #define __USE_FILE_OFFSET64 in snort.h and it should get 
> > propigated everywhere.
> > 
> > -- 
> > Chris Green <cmg at ...81...>
> > This is my signature. There are many like it but this one is mine.
> > 
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list