[Snort-devel] snort Version 2.8.6.rc (Build 16), option -r large.pcap, ... Value too large for defined data type
twease at ...402...
Tue Feb 23 17:44:49 EST 2010
On 02/23/2010 02:37 PM, Phil Wood wrote:
> Not a real big deal. But ...
> Error getting stat on pcap file: /data/1266949500.000024.pcap: Value too large for defined data type
> ERROR: Error getting pcaps.
> Fatal Error, Quitting..
> # this file is 5 minutes worth of pcap
> $ ls -l /data/1266949500.000024.pcap
> -rw-rw-r-- 1 grok grok 10429540832 2010-02-23 11:30 /data/1266949500.000024.pcap
> $ /etc/snort/snort -V
> ,,_ -*> Snort!<*-
> o" )~ Version 2.8.6.rc (Build 16)
> '''' By Martin Roesch& The Snort Team:
> Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> Using PCRE version: 7.8 2008-09-05
> Not a big deal, I can get around the problem by piping pcap files to
> snort. But, it seams reasonable to expect that snort could read large
> files. Maybe I just need to know the right configuration option when
> building it, or there is an option I don't see off the bat, or there is
> another release out!
Thanks for the report. Looks like this issue has been around for quite
a few snort releases, since the ability to read and loop multiple pcap
files was introduced. Another possible workaround may be to add
"-D_FILE_OFFSET_BITS=64" to CFLAGS when configuring snort. At any rate,
a bug will be created for the issue.
More information about the Snort-devel