[Snort-devel] Binary (pcap) Logging Limited to 128M

Todd Wease twease at ...402...
Fri Jun 13 15:57:25 EDT 2008


What are you trying to do?  If you're just capturing traffic, why not 
use tcpdump or wireshark.

Bamm Visscher wrote:
> Can this be fixed?
> 
> 
> On Fri, Jun 13, 2008 at 1:37 PM, Todd Wease <twease at ...402...> wrote:
>> The limit can only be configured from snort.conf.
>>
>> Bamm Visscher wrote:
>>> What about if you are just using -b from the cmd line b/c you don't
>>> want snort in IDS mode?
>>>
>>>
>>> On Fri, Jun 13, 2008 at 1:24 PM, Todd Wease <twease at ...402...> wrote:
>>>> In your log_tcpdump configuration, the second argument specifies the
>>>> limit,
>>>> e.g:
>>>>
>>>> output log_tcpdump: tcpdump.log 1G
>>>>
>>>> Modifiers 'K', 'M' and 'G' can be used to express the number in
>>>> kilobytes,
>>>> megabytes and gigabytes respectively.
>>>>
>>>>
>>>> Bamm Visscher wrote:
>>>>> I don't see a way to override this other than modifying the value at
>>>>> compile time. Is that on purpose and if so, why?
>>>>>
>>>>> output-plugins/spo_log_tcpdump.c
>>>>> #define DEFAULT_LIMIT (128*M_BYTES)
>>>>>
>>>>> Bammkkkk
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
> 
> 
> 





More information about the Snort-devel mailing list