[Snort-devel] 2GB maximum binary log file size...

Abe L. Getchell abegetchell at ...243...
Mon Nov 12 20:38:02 EST 2001


Hi Chris,

Tried it, didn't work.  Compiled tcpdump with LFS support.  Didn't work.
I am starting to have the distinct impression that the code changes not
working have more to do with the person making the changes than the
changes themselves.  Doh! =)

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...243...


> -----Original Message-----
> From: Christopher E. Cramer [mailto:chris.cramer at ...219...] 
> Sent: Monday, November 12, 2001 9:00 PM
> To: Abe L. Getchell
> Cc: snort-devel at lists.sourceforge.net
> Subject: RE: [Snort-devel] 2GB maximum binary log file size...
> 
> 
> 
> Are you logging in binary (tcpdump) format?
> 
> If so, then you may be hitting the 2GB limit in libpcap.  You 
> might try 
> recompiling libpcap with the appropriate large file magic.
> 
> To test if this is the case (without recompiling libpcap) log 
> the packets 
> in text and see if you can pass the 2GB limit.  
> 
> -Chris
> 
> On Mon, 12 Nov 2001, Abe L. Getchell wrote:
> 
> > Hi Chris,
> > 
> > Tried the #define you included in your e-mail, no dice.  Snort core 
> > dumped and printed an error message to the console when the 
> binary log 
> > file reached 2GB; exactly the same as before.  So, while doing some 
> > further research and poking around the libc info pages, I found:
> > 
> >  - Macro: _FILE_OFFSET_BITS
> >      This macro determines which file system interface 
> shall be used,
> >      one replacing the other.  Whereas 
> `_LARGEFILE64_SOURCE' makes the
> >      64 bit interface available as an additional interface,
> >      `_FILE_OFFSET_BITS' allows the 64 bit interface to 
> replace the old
> >      interface.
> > 
> >      If `_FILE_OFFSET_BITS' is undefined, or if it is defined to the
> >      value `32', nothing changes.  The 32 bit interface is used and
> >      types like `off_t' have a size of 32 bits on 32 bit systems.
> > 
> >      If the macro is defined to the value `64', the large 
> file interface
> >      replaces the old interface.  I.e., the functions are not made
> >      available under different names (as they are with
> >      `_LARGEFILE64_SOURCE').  Instead the old function names now
> >      reference the new functions, e.g., a call to `fseeko' 
> now indeed
> >      calls `fseeko64'.
> > 
> >      This macro should only be selected if the system provides
> >      mechanisms for handling large files.  On 64 bit 
> systems this macro
> >      has no effect since the `*64' functions are identical to the
> >      normal functions.
> > 
> >      This macro was introduced as part of the Large File Support
> >      extension (LFS).
> > 
> > So I tried '#define _FILE_OFFSET_BITS 64' in snort.h.  No dice 
> > _again_. Still doesn't work.  Everything compiles fine, no 
> warnings or 
> > errors, but snort still exhibits the same behavior when the 
> binary log 
> > file reaches 2GB.  Anyone know why this #define seemingly isn't 
> > working? According to everything I read in the libc info 
> pages and on 
> > various sites on the web, this should have fixed it.
> > 
> > Thanks,
> > Abe
> > 
> > --
> > Abe L. Getchell
> > Security Engineer
> > abegetchell at ...243...
> > 
> > 
> > > -----Original Message-----
> > > From: Chris Green [mailto:cmg at ...81...]
> > > Sent: Monday, November 12, 2001 10:02 AM
> > > To: abegetchell at ...243...
> > > Cc: snort-devel at lists.sourceforge.net
> > > Subject: Re: [Snort-devel] 2GB maximum binary log file size...
> > > 
> > > 
> > > "Abe L. Getchell" <abegetchell at ...243...> writes:
> > > 
> > > >
> > > > Is there any good reason why the "magic #define" or the new LFS
> > > > interfaces aren't used in Snort?  This added file size 
> > > limit would be
> > > > very handy for those of us using Snort which are grabbing
> > > mass amounts
> > > > of data off of high volume networks.
> > > 
> > > No one has really brought it up yet AFAIK.  You might wish to
> > > try the magic define approach until a proper solution can be 
> > > worked out...
> > > 
> > > Are the open64's/etc. supposed to be used on Solaris as well?
> > >  What other OSes support it?  
> > > 
> > > Try
> > > 
> > > #define __USE_FILE_OFFSET64 in snort.h and it should get
> > > propigated everywhere.
> > > 
> > > --
> > > Chris Green <cmg at ...81...>
> > > This is my signature. There are many like it but this one is mine.
> > > 
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net 
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > 
> 





More information about the Snort-devel mailing list