[Snort-users] 2.0 GB Max file size on linux packet captures

Shane Williams shanew at ...5387...
Wed Sep 24 16:36:09 EDT 2003


Note that it's not just the OS or Filesystem that needs LFS support,
but libpcap as well.  Most 2.4 kernel based linux distros can already
handle large files, but for some reason, many of the libs and
utilities they provide don't use it.  In my experience libpcap is one
of these.  For me, this has meant recompiling libpcap with the extra
flags mentioned at the URL Erek provided (and then recompiling tcpdump
or snort, though I don't think they need the flags themselves, they
just need to point to the right libpcap).

On Wed, 24 Sep 2003, Erek Adams wrote:

> On Wed, 24 Sep 2003, Scott Williams (Network) wrote:
> 
> > When I do tcpdump or snort packet captures to disk, I keep hitting a max
> > file size of 2GB. I've tried different versions of RedHat. From web
> > searches, it seems like I need to enable Large File Support (LFS), but
> > this doesn't seem well documented or supported.
> >
> > Does anyone have experience doing this or is there a linux distro that
> > defaults to LFS?
> 
> Sure.  It's called "Solaris" or "OpenBSD".  ;-)
> 
> 	http://www.suse.de/~aj/linux_lfs.html
> 
> (All your answers belong to Google)
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S. Thompson
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew





More information about the Snort-users mailing list