Re: 2GB limit?

[Sammy <sammy7887 () yahoo com>]

Shane, I did get the source of libcap I compiled it after adding the following lines to the savefile.c -
#ifdef linux
#define _FILE_OFFSET_BITS 64
#define _LARGEFILE64_SOURCE
#endif

However, when it compiled, it created a .a static library instead of an .so shared object library that my current Snort 
is running against.  Any ideas how I can get a .so file compiled?  Thanks.
 Shane Williams <shanew () shanew net> wrote:Actually, this isn't a filesystem limit if you're using ext2 or ext3
on RH 7.2

It might be in snort, but from my expereince with tcpdump, I would
suspect the libpcap package.

I compiled my own libpcap because I was running into the same 2G limit
with tcpdump. The trick is to add "-D_FILE_OFFSET_BITS=64
-D_LARGEFILE_SOURCE" to the "DEFS =" line in your makefile. After
replacing the RH supplied libpcap with my version, tcpdump will go
much higher (I can't say for sure, but I've got files as large as 12G
now).

I suspect if you do a search for that string you'll more about this
issue, and a better explanation. 


On Thu, 9 Jan 2003, Javier Liendo wrote:

> hello
>
> because of the configuration you mentionend you are
> using the ext3 filesystem and afaik that's a limit
> imposed by the filesystem iteself: no file can be
> bigger than 2GB. i used to have a hogwash process that
> crashed everytime the log file grew more than 2GB
> long...hope it helps...
>
> saludos
>
> javier
>
> --- Sammy X wrote:
> > Has anyone else run into any problems where logging
> > in tcpdump format stops once the log file reaches
> > 2GB? I'm using Snort 1.8.6 (Build 105) on a Redhat
> > 7.2 box with kernel 2.4.7-10. My libpcap is the one
> > the came with Redhat (0.6.2-9). From what I've read
> > so far, it looks like the problem is with libpcap
> > not having been compiled with LFS. Any
> > thoughts/suggestions? Any help is greatly
> > appreciated! Thanks in advance.
> >
> > Sammy
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew () shanew net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew



---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now