[Winpcap-users] Re: [tcpdump-workers] NTAR - PCAP next generation dump file format

Gianluca Varenni gianluca.varenni at gmail.com
Mon Jun 27 01:19:40 GMT 2005


Hi all.

Since the NTAR/pcap-ng topic spans multiple mailing lists, I suggest 
everybody to send messages to the ntar-workers mailing list (I forgot to put 
that mailing list in my original announcement mail, my bad...), so that it's 
easier for everyone to follow the discussion (and in order to avoid too much 
cross-posting).

ntar-workers at winpcap.org

https://www.winpcap.org/mailman/listinfo/ntar-workers

Have a nice day
GV

----- Original Message ----- 
From: "Christian Kreibich" <christian at whoop.org>
To: "tcpdump workers" <tcpdump-workers at lists.tcpdump.org>
Sent: Sunday, June 26, 2005 3:38 PM
Subject: Re: [tcpdump-workers] NTAR - PCAP next generation dump file format


> Hi Ronnie,
>
> On Sat, 2005-06-25 at 20:48 -0400, ronnie sahlberg wrote:
>>
>> I often work with very very large capture files and often want to only
>> extract a very small subset (packets captured between time X and time
>> Y).
>> This is very very slow with the current fileformats doe to the massive
>> amount of data that has to be processed.
>
> there are at least two tools out there that make hunting down a given
> timestamp in even huge pcap files fast by using binary search and
> heuristics to resynchronize with the packet stream -- Vern Paxson's
> tcpslice and my library version of its algorithm, libpcapnav, for
> example.
>
> http://netdude.sourceforge.net/doco/libpcapnav/c16.html#AEN20
>
> IIrc, the new trace format simplifies scanning backwards in a trace by
> giving additional clues on the size of indiviudal entities (for lack of
> a better term, since I presume not all entities have to contain packets
> any more), so this should work even better now.
>
> While I think nothing's wrong with a good "toc" structure for the new
> format, I think it's at least as important to provide good clues to free
> fseek()s to find their way back into the entity sequence.
>
> Cheers,
> Christian.
> -- 
> ________________________________________________________________________
>                                          http://www.cl.cam.ac.uk/~cpk25
>                                                    http://www.whoop.org
>
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe. 




More information about the Winpcap-users mailing list