[Snort-users] 2.0 GB Max file size on linux packet captures

Phil Wood cpw at ...440...
Thu Sep 25 13:51:05 EDT 2003

Build your own libpcap by hardcodeing this into your Makefile:


and do a 'make clean all'.

and, if you are building an application which reads and writes files
which could get larger than 2G, that does not use libpcap than just make
sure you incorporate the BITS and SOURCE defines in your make file.


PS: if you are really into rolling your own, try the pcap distribution
    at http://public.lanl.gov/cpw (Number 2).  It builds with large files
    in mind and captures more packets than the other "distros".

On Wed, Sep 24, 2003 at 04:42:18PM -0600, Scott Williams (Network) wrote:
> When I do tcpdump or snort packet captures to disk, I keep hitting a max
> file size of 2GB. I've tried different versions of RedHat. From web
> searches, it seems like I need to enable Large File Support (LFS), but
> this doesn't seem well documented or supported. 
> Does anyone have experience doing this or is there a linux distro that
> defaults to LFS?

Phil Wood (cpw_at_lanl.gov)

More information about the Snort-users mailing list