[Snort-users] 2GB limit?

Shane Williams shanew at ...5387...
Thu Jan 9 14:47:07 EST 2003


I think you should add "-shared" and "-fPIC" to the CCOPTS line, but
it's been months since I've done it, so that may not be it at all.

On Thu, 9 Jan 2003, Sammy wrote:

> Shane, I did get the source of libcap I compiled it after adding the
> following lines to the savefile.c -
> #ifdef linux
> #define _FILE_OFFSET_BITS 64
> #define _LARGEFILE64_SOURCE
> #endif
> 
> However, when it compiled, it created a .a static library instead of an .so shared object library that my current Snort is running against.  Any ideas how I can get a .so file compiled?  Thanks.
>  Shane Williams <shanew at ...5387...> wrote:Actually, this isn't a filesystem limit if you're using ext2 or ext3
> on RH 7.2
> 
> It might be in snort, but from my expereince with tcpdump, I would
> suspect the libpcap package.
> 
> I compiled my own libpcap because I was running into the same 2G limit
> with tcpdump. The trick is to add "-D_FILE_OFFSET_BITS=64
> -D_LARGEFILE_SOURCE" to the "DEFS =" line in your makefile. After
> replacing the RH supplied libpcap with my version, tcpdump will go
> much higher (I can't say for sure, but I've got files as large as 12G
> now).
> 
> I suspect if you do a search for that string you'll more about this
> issue, and a better explanation. 
> 
> 
> On Thu, 9 Jan 2003, Javier Liendo wrote:
> 
> > hello
> > 
> > because of the configuration you mentionend you are
> > using the ext3 filesystem and afaik that's a limit
> > imposed by the filesystem iteself: no file can be
> > bigger than 2GB. i used to have a hogwash process that
> > crashed everytime the log file grew more than 2GB
> > long...hope it helps...
> > 
> > saludos
> > 
> > javier
> > 
> > --- Sammy X wrote:
> > > 
> > > Has anyone else run into any problems where logging
> > > in tcpdump format stops once the log file reaches
> > > 2GB? I'm using Snort 1.8.6 (Build 105) on a Redhat
> > > 7.2 box with kernel 2.4.7-10. My libpcap is the one
> > > the came with Redhat (0.6.2-9). From what I've read
> > > so far, it looks like the problem is with libpcap
> > > not having been compiled with LFS. Any
> > > thoughts/suggestions? Any help is greatly
> > > appreciated! Thanks in advance.
> > > 
> > > Sammy
> > > 
> > > 
> > > 
> > > ---------------------------------
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew





More information about the Snort-users mailing list