Snort mailing list archives
Re: 2GB limit?
From: Shane Williams <shanew () shanew net>
Date: Thu, 9 Jan 2003 13:50:23 -0600 (CST)
Actually, this isn't a filesystem limit if you're using ext2 or ext3 on RH 7.2 It might be in snort, but from my expereince with tcpdump, I would suspect the libpcap package. I compiled my own libpcap because I was running into the same 2G limit with tcpdump. The trick is to add "-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE" to the "DEFS =" line in your makefile. After replacing the RH supplied libpcap with my version, tcpdump will go much higher (I can't say for sure, but I've got files as large as 12G now). I suspect if you do a search for that string you'll more about this issue, and a better explanation. On Thu, 9 Jan 2003, Javier Liendo wrote:
hello because of the configuration you mentionend you are using the ext3 filesystem and afaik that's a limit imposed by the filesystem iteself: no file can be bigger than 2GB. i used to have a hogwash process that crashed everytime the log file grew more than 2GB long...hope it helps... saludos javier --- Sammy X <sammy7887 () yahoo com> wrote:Has anyone else run into any problems where logging in tcpdump format stops once the log file reaches 2GB? I'm using Snort 1.8.6 (Build 105) on a Redhat 7.2 box with kernel 2.4.7-10. My libpcap is the one the came with Redhat (0.6.2-9). From what I've read so far, it looks like the problem is with libpcap not having been compiled with LFS. Any thoughts/suggestions? Any help is greatly appreciated! Thanks in advance. Sammy --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT iSchool =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2GB limit? Sammy X (Jan 09)
- Re: 2GB limit? Erick Mechler (Jan 09)
- Re: 2GB limit? Steve Suehring (Jan 09)
- Re: 2GB limit? Sammy X (Jan 09)
- Re: 2GB limit? Geoff (Jan 09)
- Re: 2GB limit? Javier Liendo (Jan 09)
- Re: 2GB limit? Shane Williams (Jan 09)
- Re: 2GB limit? Sammy (Jan 09)
- Re: 2GB limit? Shane Williams (Jan 09)
- Re: 2GB limit? Phil Wood (Jan 09)
- Re: 2GB limit? Shane Williams (Jan 09)
- Re: 2GB limit? Florin Andrei (Jan 14)
- <Possible follow-ups>
- RE: 2GB limit? Henning, David (Jan 09)
- Re: 2GB limit? DataShark (Jan 10)