[ntar-workers] Simple packet block
Loris Degioanni
loris.degioanni at gmail.com
Thu Jun 30 17:19:07 GMT 2005
Robin Sommer wrote:
> On Wed, Jun 29, 2005 at 17:40 -0700, Christian Kreibich wrote:
>
>
>>- I don't like the distinction in Packet Block and Simple Packet Block.
>
>
> I second that. In particular, I am not sure if the SPB will be
> helpful at all as it is not going to include any timestamps. The
> specification says:
>
> --------- cut -------------------------------------------------------
> The Simple Packet Block does not contain the timestamp because this
> is often one of the most costly operations on PCs. Additionally,
> there are applications that do not require it; e.g. an Intrusion
> Detection System is interested in packets, not in their timestamp.
> --------- cut -------------------------------------------------------
>
> Unfortunately, this is wrong wrt to intrusion detection: without
> timing information, an IDS is not able to perform any reasonable
> analysis. More generally, I believe that packet timestamps are one
> of the most valuable information contained in a packet trace.
> Essentially, almost all applications do need them.
So almost all applications will use normal packet blocks.
However, as Stephen wrote a couple of days ago, there are some
applications for which compactness and performance (any additional field
can have a remarkable weight if you capture at millions pps) are of
basic importance. They will use the simple packet block.
Loris
> Robin
>
More information about the ntar-workers
mailing list