[ntar-workers] Seekable file layouts etc
Christian Kreibich
christian at whoop.org
Thu Jul 7 20:02:02 GMT 2005
On Thu, 2005-07-07 at 09:25 -0700, Gianluca Varenni wrote:
>
> What do you mean by "special magic for SPB headers?" SPB is the simple
> packet block (so a "normal" block), and it should have nothing to do with
> synchronization.
I think you can use any kind of header implicitly for testing whether
you are back in sync with the flow of blocks, by applying best-possible
heuristics and attempting to walk the block sequence per
tcpslice/libpcapnav's approach.
> In any case, it would be interesting to have some mechanism to resynchronize
> a tracefile obtained out of truncated captures, I don't know if it's so easy
> (basically you need to find a new SHB where you were expecting the data of a
> block).
I think once you detect corruption you simply have to start from the
last valid block and do a byte-by-byte scan and test whether the
parseable sequence of blocks looks decent, per the above. From that you
should be able to fix the block size fields in situ to restore correct
sequencing (if you don't want to duplicate a 5GB trace), or ...
> You basically use this mode to take the corrupted trace file and
> regenerate a good trace file (cutting out all the garbage).
... do as you say, if performance allows it.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the ntar-workers
mailing list