[Snort-users] Snort dies after a few days.

Phil Wood cpw at ...440...
Tue Mar 26 09:11:08 EST 2002

All bets are off if you run RedHat.  They do it their way, tcpdump.org does
it their way, and I do it my way.

I've had some offline discussion with tcpdump.org folks.  It is unlikely
that there will be any changes to the feeble linux aspects of libpcap in
the near future.  If (on LINUX) you want large pcap files, and have no
aversion to building your own libpcap, sandwich the following:

#ifdef linux
#define _FILE_OFFSET_BITS 64

between the test/#include for a config.h file and the next #include file.

Then recompile, and rebuild your tcpdump applications using the resulting

On Mon, Mar 25, 2002 at 11:47:11AM -0800, Bill McCarty wrote:
> My Snort dies when a binary log file reaches a bit over 2 GB. I thought RHL 
> 7.2 and the 2.4 kernel allowed files to exceed this limit, but apparently 
> not. I'll check further when I get the version of Snort that I just 
> compiled to properly generate alerts <grin>.
> ---------------------------------------------------
> Bill McCarty

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list