Hi, I want to run bro with 300GB pcap file but it cannot run
jhwhang@wien:~/bro-0.9a11$ bro -r ~/jh/20051107_2200_2h_Rx.pcap.2
bro: problem with trace file /home/jhwhang/jh/20051107_2200_2h_Rx.pcap.2 - /home/jhwhang/jh/20051107_2200_2h_Rx.pcap.2: File too large
I tried
./configure --prefix=/home/jhwhang/gb/bro/ --enable-largefile
and
CFLAGS=-D__USE_LARGEFILE64 ./configure --prefix=/home/jhwhang/gb/bro/ --enable-largefile
but both didn’t work
How can I do?
Hi Jay,
does the problem persist if you try with a Bro 1.o release? Also, ensure
that the pcap library Bro picks does have large-file support itself.
Hi, I want to run bro with 300GB pcap file but it cannot run
[snip]
How can I do?
Cheers,
Christian.
pcap library does not support large files (u have to manually add the
O_LARGEFILE in open()'s flags and recompile pcap). A trick done is to 'cat'
the file and have your program (bro, tcpdump, whatever) read from stdin.
Works fine in debian
Spiros Antonatos