<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!--Converted with LaTeX2HTML 2002-2-1 (1.70)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>5 pcap vs flow File Format</TITLE>
<META NAME="description" CONTENT="5 pcap vs flow File Format">
<META NAME="keywords" CONTENT="flowreplay">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="flowreplay.css">

<LINK REL="next" HREF="node6.html">
<LINK REL="previous" HREF="node4.html">
<LINK REL="up" HREF="flowreplay.html">
<LINK REL="next" HREF="node6.html">
</HEAD>

<BODY >

<DIV CLASS="navigation"><!--Navigation Panel-->
<A NAME="tex2html84"
  HREF="node6.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html82"
  HREF="flowreplay.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html76"
  HREF="node4.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>   
<BR>
<B> Next:</B> <A NAME="tex2html85"
  HREF="node6.html">6 Plug-ins</A>
<B> Up:</B> <A NAME="tex2html83"
  HREF="flowreplay.html">Flowreplay Design Notes</A>
<B> Previous:</B> <A NAME="tex2html77"
  HREF="node4.html">4 Multiple Independent Flows</A>
<BR>
<BR></DIV>
<!--End of Navigation Panel-->

<H1><A NAME="SECTION00050000000000000000">
<SPAN CLASS="arabic">5</SPAN> <SPAN ID="hue250">pcap vs flow File Format</SPAN></A>
</H1>

<P>
<SPAN ID="hue252">As stated before, the pcap file format really isn't
well suited for flowreplay because it uses the raw packet as a container
for data. Flowreplay however isn't interested in packets, it's interested
in data streams</SPAN><A NAME="tex2html8"
  HREF="#foot404"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A> <SPAN ID="hue256">which may span one or more TCP/UDP segments, each
comprised of an IP datagram which may be comprised of multiple IP
fragments. Handling all this additional complexity requires a full
TCP/IP stack in user space which would have additional feature requirements
specific to flowreplay.</SPAN>
<P>
<SPAN ID="hue258">Rather then trying to do that, I've decided to create
a pcap preprocessor for flowreplay called: flowprep. Flowprep will
handle all the TCP/IP defragmentation/reassembly and write out a file
containing the data streams for each flow.</SPAN>
<P>
<SPAN ID="hue260">A flow file will contain three sections:</SPAN>
<P>

<OL>
<LI><SPAN ID="hue263">A header which identifies this as a flowprep file
and the file version</SPAN>
</LI>
<LI><SPAN ID="hue265">An index of all the flows contained in the file</SPAN>
</LI>
<LI><SPAN ID="hue267">The data streams themselves</SPAN>
</LI>
</OL>
<DIV ALIGN="CENTER">
<SPAN ID="hue390"><IMG
 WIDTH="668" HEIGHT="748" ALIGN="BOTTOM" BORDER="0"
 SRC="img1.png"
 ALT="\includegraphics{flowheader.eps}"></SPAN>
</DIV>

<P>
<SPAN ID="hue274">At startup, the file header is validated and the
data stream indexes are loaded into memory. Then the first data stream
header from each flow is read. Then each flow and subsequent data
stream is processed based upon the timestamps and plug-ins.</SPAN>
<P>
<BR><HR><H4>Footnotes</H4>
<DL>
<DT><A NAME="foot404">...&nbsp;</A><A
 HREF="node5.html#tex2html8"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A></DT>
<DD><SPAN ID="hue389">A ``data stream'' as I call it is a simplex
communication from the client or server which is a complete query,
response or message.</SPAN>

</DD>
</DL>
<DIV CLASS="navigation"><HR>
<!--Navigation Panel-->
<A NAME="tex2html84"
  HREF="node6.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html82"
  HREF="flowreplay.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html76"
  HREF="node4.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>   
<BR>
<B> Next:</B> <A NAME="tex2html85"
  HREF="node6.html">6 Plug-ins</A>
<B> Up:</B> <A NAME="tex2html83"
  HREF="flowreplay.html">Flowreplay Design Notes</A>
<B> Previous:</B> <A NAME="tex2html77"
  HREF="node4.html">4 Multiple Independent Flows</A></DIV>
<!--End of Navigation Panel-->
<ADDRESS>
Aaron Turner
2005-06-28
</ADDRESS>
</BODY>
</HTML>