[ntar-workers] Re: [Ethereal-dev] Re: NTAR - PCAP next generation
dump file formatimplementation
Pekka Pietikainen
pp at ee.oulu.fi
Mon Jun 27 17:54:51 GMT 2005
On Mon, Jun 27, 2005 at 01:21:19PM +0200, LEGO wrote:
> Another point is not to have to seek backwards to fill in fields while
> dumping. Neither I like the Idea of having to keep a whole chunk in
> memory nor to have to keep more than few very essential state
> variables.
External index files (using sqlite or whatnot) might also make sense
for some people. Outside the scope of ntar itself, sure.
So basically you have one (or several) "master" ntar files, then "index"
files which have at least timestamp, file id, offset tuples. Quickly want to
get the contents of a specific network flow? Run a tcpdump filter against
the master, generate index of packets belonging to that flow, and access the
index whenever you want to access the actual packets :-) Fast and pretty
space-efficient too.
More information about the ntar-workers
mailing list