[ntar-workers] PacketBlock, PacketsBlock, GoPBlock
Jose M. Gonzalez
chema at cs.berkeley.edu
Thu Jun 30 07:50:16 GMT 2005
Hi,
Here's my input on the PacketBlock and PacketsBlock issue:
- I think the having each packet encapsulated in a block is a good idea,
as it permits mixing up packets and information on the capture
process. For example, the dumper may realize that it has dropped
some packets, or that some network event has happened that changes
the meaning of the capture process. We want that information in
sequential order with the packet capture process. I'd nevertheless
change the name from PacketBlock to something like ExtendedPacketBlock,
or FullPacketBlock.
- Once this has been said, I understand the 12 byte overhead may be too
much in some scenarios. I don't think that's the case when dumping
non-compressed packets, though. You must anyway add 5 words (see
Figure 5), the packet header, and the packet data. 3 extra bytes
shouldn't kill you.
IMO, the overhead is important when using compression. To take into
consideration this case, I'd use Ronnie's idea of a block of packets.
I'd suggest the (MPEG-inspired) terminology GoPBlock, for "Group of
Packets," which somebody could find less confusing than PacketsBlock
(I'd avoid using the word "compressed," as some uses of GoPs w/o
compression may also make sense).
A GoPBlock body will follow the following structure:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| GoPBlock type /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ packet header/packet data/packet header/packet data... /
/ /
/ /* variable length, aligned to 32 bits */ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- The GoPBlock type will determine the packet header/packet data structure.
- I'd make mandatory at least one GoPBlock type, "old-pcap", that would
correspond to the old 4-word pcap header format (ts_sec, ts_usec, len,
caplen), followed by the captured data. This will allow fast conversion
of old pcap traces to the new format.
- Vern and I added packet compression to pktd, a packet capture and injection
daemon (there's a paper in PAM 2003). The compression was based on
Van Jacobson's CSLIP, and it managed to squeeze traces up to less than
10 bytes per packet. I'll try to provide the details tomorrow (I have
to take the dust off my notes).
- Some notes on this GopBlock idea:
- If the trace reader knows about the GoPBlock type, it can easily
get the TSofFirstPacket and TSofLastPacket that Ronnie wanted. For
the TSofFirstPacket, read the first packet. For the TSofLastPacket,
get the next GoPBlock, ExtendedPacketBlock, or SimplePacketBlock,
and the (first) packet timestamp shouldn't be that far from
TSofLastPacket.
- If an ntar trace reader doesn't know about the GoPBlock type, it can
only infer that it skipped some packets, not how many, or anything
about the packets themselves.
- Packets in a GoPBlock would be browsable only in a sequential
fashion (excepting tcpslice-like hacks when possible) . That's a fair
cost for the space savings.
Regards.
-Chema
More information about the ntar-workers
mailing list