[Snort-users] 2GB limit?

Phil Wood cpw at ...440...
Thu Jan 9 13:31:13 EST 2003


You are correct.  I've got the following in the savefile.c:

#ifdef linux
#define _FILE_OFFSET_BITS 64
#define _LARGEFILE64_SOURCE
#endif

Linux users might want to try the following libpcap:

  libpcap-08.1104.tar.gz

found at: 

  http://public.lanl.gov/cpw

There is some information at my site that talks about some of the changes
that I've made to libpcap for linux.  You only need to get this if you
lose packets.

On Thu, Jan 09, 2003 at 01:50:23PM -0600, Shane Williams wrote:
> Actually, this isn't a filesystem limit if you're using ext2 or ext3
> on RH 7.2
> 
> It might be in snort, but from my expereince with tcpdump, I would
> suspect the libpcap package.
> 
> I compiled my own libpcap because I was running into the same 2G limit
> with tcpdump.  The trick is to add "-D_FILE_OFFSET_BITS=64
> -D_LARGEFILE_SOURCE" to the "DEFS =" line in your makefile.  After
> replacing the RH supplied libpcap with my version, tcpdump will go
> much higher (I can't say for sure, but I've got files as large as 12G
> now).
> 
> I suspect if you do a search for that string you'll more about this
> issue, and a better explanation.  
> 
> 
> On Thu, 9 Jan 2003, Javier Liendo wrote:
> 
> > hello
> > 
> > because of the configuration you mentionend you are
> > using the ext3 filesystem and afaik that's a limit
> > imposed by the filesystem iteself: no file can be
> > bigger than 2GB. i used to have a hogwash process that
> > crashed everytime the log file grew more than 2GB
> > long...hope it helps...
> > 
> > saludos
> > 
> > javier
> > 
> > --- Sammy X <sammy7887 at ...131...> wrote:
> > > 
> > > Has anyone else run into any problems where logging
> > > in tcpdump format stops once the log file reaches
> > > 2GB?  I'm using Snort 1.8.6 (Build 105) on a Redhat
> > > 7.2 box with kernel 2.4.7-10.  My libpcap is the one
> > > the came with Redhat (0.6.2-9).  From what I've read
> > > so far, it looks like the problem is with libpcap
> > > not having been compiled with LFS.  Any
> > > thoughts/suggestions?  Any help is greatly
> > > appreciated!  Thanks in advance.
> > > 
> > > Sammy
> > > 
> > > 
> > > 
> > > ---------------------------------
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> -- 
> Public key #7BBC68D9 at            |                 Shane Williams
> http://pgp.mit.edu/                |      System Admin - UT iSchool
> =----------------------------------+-------------------------------
> All syllogisms contain three lines |              shanew at ...5387...
> Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list