Hi all.
Since the NTAR/pcap-ng topic spans multiple mailing lists, I suggest
everybody to send messages to the ntar-workers mailing list (I forgot to put
that mailing list in my original announcement mail, my bad...), so that it's
easier for everyone to follow the discussion (and in order to avoid too much
cross-posting).
ntar-workers@xxxxxxxxxxx
https://www.winpcap.org/mailman/listinfo/ntar-workers
Have a nice day
GV
----- Original Message -----
From: "Christian Kreibich" <christian@xxxxxxxxx>
To: "tcpdump workers" <tcpdump-workers@xxxxxxxxxxxxxxxxx>
Sent: Sunday, June 26, 2005 3:38 PM
Subject: Re: [tcpdump-workers] NTAR - PCAP next generation dump file format
Hi Ronnie,
On Sat, 2005-06-25 at 20:48 -0400, ronnie sahlberg wrote:
I often work with very very large capture files and often want to only
extract a very small subset (packets captured between time X and time
Y).
This is very very slow with the current fileformats doe to the massive
amount of data that has to be processed.
there are at least two tools out there that make hunting down a given
timestamp in even huge pcap files fast by using binary search and
heuristics to resynchronize with the packet stream -- Vern Paxson's
tcpslice and my library version of its algorithm, libpcapnav, for
example.
http://netdude.sourceforge.net/doco/libpcapnav/c16.html#AEN20
IIrc, the new trace format simplifies scanning backwards in a trace by
giving additional clues on the size of indiviudal entities (for lack of
a better term, since I presume not all entities have to contain packets
any more), so this should work even better now.
While I think nothing's wrong with a good "toc" structure for the new
format, I think it's at least as important to provide good clues to free
fseek()s to find their way back into the entity sequence.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
