[Bro] cannot read large pcap file
antonat at ics.forth.gr
Mon Mar 6 12:21:56 PST 2006
pcap library does not support large files (u have to manually add the
O_LARGEFILE in open()'s flags and recompile pcap). A trick done is to 'cat'
the file and have your program (bro, tcpdump, whatever) read from stdin.
Works fine in debian
> -----Original Message-----
> From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On
> Behalf Of Christian Kreibich
> Sent: Tuesday, March 07, 2006 12:18 AM
> To: Jay Hwang
> Cc: Bro List
> Subject: Re: [Bro] cannot read large pcap file
> Hi Jay,
> does the problem persist if you try with a Bro 1.o release? Also, ensure
> that the pcap library Bro picks does have large-file support itself.
> On Tue, 2006-03-07 at 00:17 +0900, Jay Hwang wrote:
> > Hi, I want to run bro with 300GB pcap file but it cannot run
> > How can I do?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro