[Bro] cannot read large pcap file
Spiros Antonatos
antonat at ics.forth.gr
Mon Mar 6 12:21:56 PST 2006
pcap library does not support large files (u have to manually add the
O_LARGEFILE in open()'s flags and recompile pcap). A trick done is to 'cat'
the file and have your program (bro, tcpdump, whatever) read from stdin.
Works fine in debian
Spiros Antonatos
> -----Original Message-----
> From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On
> Behalf Of Christian Kreibich
> Sent: Tuesday, March 07, 2006 12:18 AM
> To: Jay Hwang
> Cc: Bro List
> Subject: Re: [Bro] cannot read large pcap file
>
> Hi Jay,
>
> does the problem persist if you try with a Bro 1.o release? Also, ensure
> that the pcap library Bro picks does have large-file support itself.
>
> On Tue, 2006-03-07 at 00:17 +0900, Jay Hwang wrote:
> > Hi, I want to run bro with 300GB pcap file but it cannot run
> [snip]
> > How can I do?
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list