[ntar-workers] Fw: [tcpdump-workers] NTAR - PCAP next generation
dump file format
Gianluca Varenni
gianluca.varenni at gmail.com
Mon Jun 27 01:12:38 GMT 2005
----- Original Message -----
From: "Christian Kreibich" <christian at whoop.org>
To: "tcpdump workers" <tcpdump-workers at lists.tcpdump.org>
Sent: Sunday, June 26, 2005 3:38 PM
Subject: Re: [tcpdump-workers] NTAR - PCAP next generation dump file format
> Hi Ronnie,
>
> On Sat, 2005-06-25 at 20:48 -0400, ronnie sahlberg wrote:
>>
>> I often work with very very large capture files and often want to only
>> extract a very small subset (packets captured between time X and time
>> Y).
>> This is very very slow with the current fileformats doe to the massive
>> amount of data that has to be processed.
>
> there are at least two tools out there that make hunting down a given
> timestamp in even huge pcap files fast by using binary search and
> heuristics to resynchronize with the packet stream -- Vern Paxson's
> tcpslice and my library version of its algorithm, libpcapnav, for
> example.
>
> http://netdude.sourceforge.net/doco/libpcapnav/c16.html#AEN20
>
> IIrc, the new trace format simplifies scanning backwards in a trace by
> giving additional clues on the size of indiviudal entities (for lack of
> a better term, since I presume not all entities have to contain packets
> any more), so this should work even better now.
>
> While I think nothing's wrong with a good "toc" structure for the new
> format, I think it's at least as important to provide good clues to free
> fseek()s to find their way back into the entity sequence.
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.
More information about the ntar-workers
mailing list