[Snort-devel] snort Version 2.8.6.rc (Build 16), option -r large.pcap, ... Value too large for defined data type

Todd Wease twease at ...402...
Tue Feb 23 17:44:49 EST 2010


On 02/23/2010 02:37 PM, Phil Wood wrote:
> Folks,
>
> Not a real big deal.  But ...
>
> Error getting stat on pcap file: /data/1266949500.000024.pcap: Value too large for defined data type
> ERROR: Error getting pcaps.
> Fatal Error, Quitting..
>
> # this file is 5 minutes worth of pcap
> $ ls -l /data/1266949500.000024.pcap
> -rw-rw-r-- 1 grok grok 10429540832 2010-02-23 11:30 /data/1266949500.000024.pcap
>
> $ /etc/snort/snort -V
>
>     ,,_     -*>  Snort!<*-
>    o"  )~   Version 2.8.6.rc (Build 16)
>     ''''    By Martin Roesch&  The Snort Team:
> http://www.snort.org/snort/snort-team
>             Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>             Using PCRE version: 7.8 2008-09-05
>
> Not a big deal, I can get around the problem by piping pcap files to
> snort.  But, it seams reasonable to expect that snort could read large
> files.  Maybe I just need to know the right configuration option when
> building it, or there is an option I don't see off the bat, or there is
> another release out!
>
> Later,
>
>    

Hello Phil,

Thanks for the report.  Looks like this issue has been around for quite 
a few snort releases, since the ability to read and loop multiple pcap 
files was introduced.  Another possible workaround may be to add 
"-D_FILE_OFFSET_BITS=64" to CFLAGS when configuring snort.  At any rate, 
a bug will be created for the issue.

Todd




More information about the Snort-devel mailing list