[Snort-devel] Binary (pcap) Logging Limited to 128M

Todd Wease twease at ...402...
Fri Jun 13 16:27:48 EDT 2008


Someone's gotta keep the list clean of debris.


Bamm Visscher wrote:
> The SF vacuum strikes again...
> 
> Color me not surprised.
> 
> 
> 
> On Fri, Jun 13, 2008 at 2:08 PM, Todd Wease <twease at ...402...> wrote:
>> I guess you're screwed then.
>>
>> Bamm Visscher wrote:
>>> Tcpdump?  Wireshark?  Never heard of them.
>>>
>>> *sigh*
>>>
>>> Mainly because my sensors already have snort installed on them, so why
>>> install another pcap collection app if I already had one that met my
>>> needs.  Yes, I know it's hard to believe, but at one point snort was
>>> used by people for purposes other than just a detection engine.
>>>
>>>
>>> On Fri, Jun 13, 2008 at 1:57 PM, Todd Wease <twease at ...402...> wrote:
>>>> What are you trying to do?  If you're just capturing traffic, why not use
>>>> tcpdump or wireshark.
>>>>
>>>> Bamm Visscher wrote:
>>>>> Can this be fixed?
>>>>>
>>>>>
>>>>> On Fri, Jun 13, 2008 at 1:37 PM, Todd Wease <twease at ...402...>
>>>>> wrote:
>>>>>> The limit can only be configured from snort.conf.
>>>>>>
>>>>>> Bamm Visscher wrote:
>>>>>>> What about if you are just using -b from the cmd line b/c you don't
>>>>>>> want snort in IDS mode?
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jun 13, 2008 at 1:24 PM, Todd Wease <twease at ...402...>
>>>>>>> wrote:
>>>>>>>> In your log_tcpdump configuration, the second argument specifies the
>>>>>>>> limit,
>>>>>>>> e.g:
>>>>>>>>
>>>>>>>> output log_tcpdump: tcpdump.log 1G
>>>>>>>>
>>>>>>>> Modifiers 'K', 'M' and 'G' can be used to express the number in
>>>>>>>> kilobytes,
>>>>>>>> megabytes and gigabytes respectively.
>>>>>>>>
>>>>>>>>
>>>>>>>> Bamm Visscher wrote:
>>>>>>>>> I don't see a way to override this other than modifying the value at
>>>>>>>>> compile time. Is that on purpose and if so, why?
>>>>>>>>>
>>>>>>>>> output-plugins/spo_log_tcpdump.c
>>>>>>>>> #define DEFAULT_LIMIT (128*M_BYTES)
>>>>>>>>>
>>>>>>>>> Bammkkkk
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>
>>>
>>>
>>
> 
> 
> 





More information about the Snort-devel mailing list