[ntar-workers] Simple packet block
Stephen Donnelly
stephen at endace.com
Thu Jun 30 21:49:38 GMT 2005
Loris Degioanni wrote:
> Robin Sommer wrote:
>> On Wed, Jun 29, 2005 at 17:40 -0700, Christian Kreibich wrote:
>>> - I don't like the distinction in Packet Block and Simple Packet Block.
>>
>> I second that. In particular, I am not sure if the SPB will be
>> helpful at all as it is not going to include any timestamps. The
>> specification says:
>>
>> --------- cut -------------------------------------------------------
>> The Simple Packet Block does not contain the timestamp because this
>> is often one of the most costly operations on PCs. Additionally,
>> there are applications that do not require it; e.g. an Intrusion
>> Detection System is interested in packets, not in their timestamp.
>> --------- cut -------------------------------------------------------
>>
>> Unfortunately, this is wrong wrt to intrusion detection: without
>> timing information, an IDS is not able to perform any reasonable
>> analysis. More generally, I believe that packet timestamps are one
>> of the most valuable information contained in a packet trace.
>> Essentially, almost all applications do need them.
>
> So almost all applications will use normal packet blocks.
> However, as Stephen wrote a couple of days ago, there are some
> applications for which compactness and performance (any additional field
> can have a remarkable weight if you capture at millions pps) are of
> basic importance. They will use the simple packet block.
I think having a SPB may be useful in some environments. When capturing at
high packet rates having unused option fields present is expensive in
bandwidth and space. Having the SPB not support the addition of optional
fields also simplifies parsing and should save time when reading the file.
I'm not sure if it's reasonable for the SPB to not have a timestamp. I can
imagine there may be cases where one is not necessary, but in many cases
they are, even when size is at a premium. In these cases the SPB could not
be used, so we are forced back to the normal PB.
For DAG cards the timestamp is generated in hardware so that operation is
is not expensive. Not writing the provided timestamp to disk would save
disk bandwidth/space, but may lower the utility of the collected trace too
much. I suspect most of our users would end up not using the SPB if it did
not have a timestamp.
Are we left with three PB types, 'normal', 'simple', and 'simple+ts'? Some
of these surely would seldom be used, and the cost in parsing/application
support may be too high (accessor functions?).
Thoughts?
Regards,
Stephen.
--
-----------------------------------------------------------------------
Stephen Donnelly BCMS PhD email: sfd at endace.com
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand cell: +64 21 1104378
-----------------------------------------------------------------------
More information about the ntar-workers
mailing list