[Snort-devel] Binary (pcap) Logging Limited to 128M

Joel Esler joel.esler at ...402...
Fri Jun 13 16:07:59 EDT 2008


Or daemonlogger.

--
Joel Esler
Sent from my iPhone

On Jun 13, 2008, at 3:57 PM, Todd Wease <twease at ...402...> wrote:

> What are you trying to do?  If you're just capturing traffic, why not
> use tcpdump or wireshark.
>
> Bamm Visscher wrote:
>> Can this be fixed?
>>
>>
>> On Fri, Jun 13, 2008 at 1:37 PM, Todd Wease <twease at ...402...>  
>> wrote:
>>> The limit can only be configured from snort.conf.
>>>
>>> Bamm Visscher wrote:
>>>> What about if you are just using -b from the cmd line b/c you don't
>>>> want snort in IDS mode?
>>>>
>>>>
>>>> On Fri, Jun 13, 2008 at 1:24 PM, Todd Wease  
>>>> <twease at ...402...> wrote:
>>>>> In your log_tcpdump configuration, the second argument specifies  
>>>>> the
>>>>> limit,
>>>>> e.g:
>>>>>
>>>>> output log_tcpdump: tcpdump.log 1G
>>>>>
>>>>> Modifiers 'K', 'M' and 'G' can be used to express the number in
>>>>> kilobytes,
>>>>> megabytes and gigabytes respectively.
>>>>>
>>>>>
>>>>> Bamm Visscher wrote:
>>>>>> I don't see a way to override this other than modifying the  
>>>>>> value at
>>>>>> compile time. Is that on purpose and if so, why?
>>>>>>
>>>>>> output-plugins/spo_log_tcpdump.c
>>>>>> #define DEFAULT_LIMIT (128*M_BYTES)
>>>>>>
>>>>>> Bammkkkk
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
>
> --- 
> ----------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list