[ntar-workers] Simple packet block (was: Seekable file layouts etc)
Robin Sommer
robinsommer at web.de
Thu Jun 30 08:37:05 GMT 2005
On Wed, Jun 29, 2005 at 17:40 -0700, Christian Kreibich wrote:
> - I don't like the distinction in Packet Block and Simple Packet Block.
I second that. In particular, I am not sure if the SPB will be
helpful at all as it is not going to include any timestamps. The
specification says:
--------- cut -------------------------------------------------------
The Simple Packet Block does not contain the timestamp because this
is often one of the most costly operations on PCs. Additionally,
there are applications that do not require it; e.g. an Intrusion
Detection System is interested in packets, not in their timestamp.
--------- cut -------------------------------------------------------
Unfortunately, this is wrong wrt to intrusion detection: without
timing information, an IDS is not able to perform any reasonable
analysis. More generally, I believe that packet timestamps are one
of the most valuable information contained in a packet trace.
Essentially, almost all applications do need them.
Robin
--
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de
More information about the ntar-workers
mailing list