On Tue, 2003-11-11 at 04:39, Guy Harris wrote: > On Nov 10, 2003, at 11:20 AM, [EMAIL PROTECTED] wrote: > > > Hi everyone. I did a Google search for this problem and uncovered a > > wealth > > of information about the it, but not very much on how to fix it, so > > here I > > am. > > > > I have two rather large (~1.5GB each) capture files that I need to > > merge > > into one. The program I'm using runs for a bit and then stops with a > > "maximum file size exceeded" error. > > What happens if you compile and run the attached file on the two > capture files and send the standard output to another file? > > If you get a "maximum file size exceeded" error, the problem is that > the standard way to use the "standard I/O library" routines on your > Linux system (and probably most if not all Linux systems) doesn't > handle files >2GB. > > If there's a way to get those routines to do so, libpcap would have to > use that way *IF* available in order to support files >2GB on platforms > where the standard way to use those routines doesn't handle them. > > If there isn't a way to get those routines to do so, libpcap would have > to be changed not to use them in order to support files >2GB on those > platforms. > > > Is there a workaround of some kind that will let libpcap handle larger > > files? Some of the info I turned up seemed to suggest that there is a > > configuration option that will compile libpcap with large file support, > > but I can't seem to find it. > > That's because it doesn't exist, at least with the tcpdump.org libpcap.
http://www.suse.de/~aj/linux_lfs.html has the answer. Basically recompile libpcap with DEFS = -DHAVE_CONFIG_H -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -D_GNU_SOURCE in the Makefile.. (information originated from a snort-users posting..) Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
signature.asc
Description: This is a digitally signed message part
