snoop doesn't correctly read files over 4GB
If you give snoop an input file larger than 4GB, it happily tries to process it, but only maps the first (filesize % 4GB) bytes of it. This will usually wind up attempting to read a packet that isn't completely contained in the file, and it will bail out with:
(warning) bad packet header in capture file offset 159385680: length=1464
The reason is that it uses ints to store the file size. The problem starts in cap_open_read() when we fstat the input file (which works) and assign cap_len (an int) to the value of st_size (a larger value). After that, we pass around the size as an int.
A similar issue likely affects files over 2GB as well, since the size will be negative. I haven't tested that case, and I don't know what the failure mode is.
No data to display