[Coral-dev] Large File Support and EOVERFLOW
Peter Van Epp
vanepp at sfu.ca
Wed May 17 09:06:40 PDT 2006
On Tue, May 16, 2006 at 08:31:47AM -0700, David Moore wrote:
> "Fletcher Mattox" <fletcher at cs.utexas.edu> writes:
>
> > So why does crl_to_pcap fail?
> > And how can I use these tools on large tcpdump trace files?
> > Surely this problem has come up before?
>
> We've used it w/o problems on large pcap traces under freebsd (and
> solaris?). Right at the moment, we're busy getting ready for the
> release of a different project, so won't be able to look into this in
> detail for a while. But if you or anyone else on the list has more
> ideas, it'd be good to know.
>
> -- david
>
> _______________________________________________
> Coral-dev mailing list
> Coral-dev at caida.org
> https://rommie.caida.org/mailman/listinfo/coral-dev
Since I haven't seen any other answers float by, some operating systems
need special flags to get large (> 2 gig) file support enabled. Linux appears
to be one of them since I have a linux machine with the ntop ring buffer code
installed that blows up on a tcpdump at 2 gigs (and so far we haven't found
the right bits to recompile with large file support :-)). As noted FreeBSD
(where I usually run) does it by default. If you like I can look at the config
file for argus and see what it looks at to see if large file support needs
special flags which may give you a pointer.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the Coral-dev
mailing list