[ntar-workers] On Markers and Bookmarks

Christian Kreibich christian at whoop.org
Tue Jul 12 01:14:00 GMT 2005 

On Thu, 2005-07-07 at 22:42 -0700, Loris Degioanni wrote:
>
> > Isn't that just the indexing we're discussing here (including Chema's
> > navigation blocks proposal)?
> 
> No, I think what Gianluca is talking about is really going back and 
> forth in the file: fseek and friends. Implementing them in a portable 
> and 64-bit-friendly way (since the specification requires 64-bit 
> support) is really complicated. Moreover, fseek seems to be very slow 
> (slower than reading everything) on several platforms.

Ewww that sucks. :(

> > Imho, yes. If the trace gets big, time becomes the primary mechanism for
> > selections. Even if you're indexing semantically different items (say
> > markers identifying the beginning of malicious flows, etc) you'll likely
> > still use time to navigate among multiple instances. I'd love to hear
> > counterexamples though.
> 
> I kind of like the idea of using time to navigate inside traces, it 
> could have many cool applications. The other important indexing method 
> in my opinion is the number of packets: you probably want to know how 
> many packets you skip if you jump to the next GoPBlock.

Yeah, that'd be nice, also for finding the total number of packets in a
trace faster than by scanning all the packet blocks.

> I think for 
> example about tools like Ethereal, which could reserve the right space 
> in the list of packets with a quick scan, without even reading the packets.
> By the way, would it make sense to report the number of packets of a 
> GoPBlock in the following GoPBlock marker? This would prevent us from 
> having to go back in the file.

I like that. I think I have a preference for end-of-block blocks, just
like with the Section End Block for sections that I proposed earlier.
Just end the GoPBlock with a separate block that can contain stats etc.

> Christian, if you are still interested in working on this, we could come 
> up with a more precise definition, and then write it down in the specs. 
> At that point, we would be ready to start the implementation. What do 
> you think?

Sure, my offer of around 1 day/week stands. I've started to look at the
ntar code.

Best,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

More information about the ntar-workers mailing list