Re: Snort 2GB limit

[Phil Wood <cpw () lanl gov>]

On Mon, Feb 18, 2002 at 12:37:14PM -0800, Lyle Sudin wrote:
> Thanks, Phil but even with the addition of 64-bit
> support in libpcap, snort stops at exactly 2GB.
Make sure that there is not another pcap lurking where snorts configure
could find it.  It might be using a shared library .so and bypassing what
you want.
> I recompiled libpcap with the changes to savefile.c
> and I added the CFLAGS line to the snort Makefile to
> no avail.  
>
> I am running Turbo Linux Server 6.5 which supports
> files > 2GB (I have tested it) so it's not a problem
> with the OS.  
>
> Could there be any other files which need editing?
I did not use any other files.  But, I'm using Debian, with my own
"turbo" linux and running a 2.4.16 kernel.  You might want to check 
the kernel config.  I seem to remember something about > x Gig.  But,
it might just have been the memory configuration.

One thing you might make sure of is that your asm and linux includes
are linked to your kernel source (/usr/src/linux/include/{asm,linux}
respectively.

> Thanks,
> Lyle
>
>
> --- Phil Wood <cpw () lanl gov> wrote:
> > If you are running linux, change to the source to
> > pcap and put the following
> > somewhere before the #include(s) statements in
> > savefile.c:
> >
> > #ifdef linux
> > #define _FILE_OFFSET_BITS 64
> > #define _LARGEFILE64_SOURCE
> > #endif
> >
> > Them make clean, make.  Then, go to snort source
> > directory:
> >
> >   rm snort
> >   make
> >
> > This all assumes you have both the source to pcap
> > and the source to snort
> > and now how to build libpcap based applications and
> > have correct include
> > and library directives in your Makefile.
> >
> > If you expect other files, created by snort to get
> > large, then you would
> > have to do a similar thing.  You can also just -D
> > those two defines in
> > somewhere in your Makefiles for the various
> > applications that do big
> > files.  Something like this:
> >     
> > CFLAGS = -O2 -g -Wall -D_FILE_OFFSET_BITS 64
> > -D_LARGEFILE64_SOURCE
> >
> > is what I would do to the Makefile for snort.
> >
> > On Fri, Feb 15, 2002 at 10:09:31AM -0600, Chris
> > Eidem wrote:
> >
> > > Sounds like an OS limitation, what are you
> > running?
> > >  - chris
> > >
> > > > -----Original Message-----
> > > > From: Lyle Sudin [mailto:lylesudin () yahoo com]
> > > > Sent: Friday, February 15, 2002 8:09 AM
> > > > To: snort-users () lists sourceforge net
> > > > Subject: [Snort-users] Snort 2GB limit
> > > >
> > > >
> > > > Is there an inherent 2GB limit for snort?  My
> > system supports files > 
> > > > 2GB but when I run snort in binary mode it stops
> > cold at 2GB. 
> > > >  Is there 
> > > > something I am missing here?  snort was run
> > simply as:
> > > > snort -l /data -b -D
> > > >
> > > > It works fine up to 2GB.
> > > >
> > > > Thanks,
> > > > Lyle
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or
> > unsubscribe:
> > > >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or
> > unsubscribe:
> > >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list
> >
> > -- 
> > Phil Wood, cpw () lanl gov
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users