| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 |
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
- <!--Converted with LaTeX2HTML 2002-2-1 (1.70)
- original version by: Nikos Drakos, CBLU, University of Leeds
- * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
- * with significant contributions from:
- Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
- <HTML>
- <HEAD>
- <TITLE>5 pcap vs flow File Format</TITLE>
- <META NAME="description" CONTENT="5 pcap vs flow File Format">
- <META NAME="keywords" CONTENT="flowreplay">
- <META NAME="resource-type" CONTENT="document">
- <META NAME="distribution" CONTENT="global">
- <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
- <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
- <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
- <LINK REL="STYLESHEET" HREF="flowreplay.css">
- <LINK REL="next" HREF="node6.html">
- <LINK REL="previous" HREF="node4.html">
- <LINK REL="up" HREF="flowreplay.html">
- <LINK REL="next" HREF="node6.html">
- </HEAD>
- <BODY >
- <DIV CLASS="navigation"><!--Navigation Panel-->
- <A NAME="tex2html84"
- HREF="node6.html">
- <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
- <A NAME="tex2html82"
- HREF="flowreplay.html">
- <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
- <A NAME="tex2html76"
- HREF="node4.html">
- <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
- <BR>
- <B> Next:</B> <A NAME="tex2html85"
- HREF="node6.html">6 Plug-ins</A>
- <B> Up:</B> <A NAME="tex2html83"
- HREF="flowreplay.html">Flowreplay Design Notes</A>
- <B> Previous:</B> <A NAME="tex2html77"
- HREF="node4.html">4 Multiple Independent Flows</A>
- <BR>
- <BR></DIV>
- <!--End of Navigation Panel-->
- <H1><A NAME="SECTION00050000000000000000">
- <SPAN CLASS="arabic">5</SPAN> <SPAN ID="hue250">pcap vs flow File Format</SPAN></A>
- </H1>
- <P>
- <SPAN ID="hue252">As stated before, the pcap file format really isn't
- well suited for flowreplay because it uses the raw packet as a container
- for data. Flowreplay however isn't interested in packets, it's interested
- in data streams</SPAN><A NAME="tex2html8"
- HREF="#foot404"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A> <SPAN ID="hue256">which may span one or more TCP/UDP segments, each
- comprised of an IP datagram which may be comprised of multiple IP
- fragments. Handling all this additional complexity requires a full
- TCP/IP stack in user space which would have additional feature requirements
- specific to flowreplay.</SPAN>
- <P>
- <SPAN ID="hue258">Rather then trying to do that, I've decided to create
- a pcap preprocessor for flowreplay called: flowprep. Flowprep will
- handle all the TCP/IP defragmentation/reassembly and write out a file
- containing the data streams for each flow.</SPAN>
- <P>
- <SPAN ID="hue260">A flow file will contain three sections:</SPAN>
- <P>
- <OL>
- <LI><SPAN ID="hue263">A header which identifies this as a flowprep file
- and the file version</SPAN>
- </LI>
- <LI><SPAN ID="hue265">An index of all the flows contained in the file</SPAN>
- </LI>
- <LI><SPAN ID="hue267">The data streams themselves</SPAN>
- </LI>
- </OL>
- <DIV ALIGN="CENTER">
- <SPAN ID="hue390"><IMG
- WIDTH="668" HEIGHT="748" ALIGN="BOTTOM" BORDER="0"
- SRC="img1.png"
- ALT="\includegraphics{flowheader.eps}"></SPAN>
- </DIV>
- <P>
- <SPAN ID="hue274">At startup, the file header is validated and the
- data stream indexes are loaded into memory. Then the first data stream
- header from each flow is read. Then each flow and subsequent data
- stream is processed based upon the timestamps and plug-ins.</SPAN>
- <P>
- <BR><HR><H4>Footnotes</H4>
- <DL>
- <DT><A NAME="foot404">... </A><A
- HREF="node5.html#tex2html8"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A></DT>
- <DD><SPAN ID="hue389">A ``data stream'' as I call it is a simplex
- communication from the client or server which is a complete query,
- response or message.</SPAN>
- </DD>
- </DL>
- <DIV CLASS="navigation"><HR>
- <!--Navigation Panel-->
- <A NAME="tex2html84"
- HREF="node6.html">
- <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
- <A NAME="tex2html82"
- HREF="flowreplay.html">
- <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
- <A NAME="tex2html76"
- HREF="node4.html">
- <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
- <BR>
- <B> Next:</B> <A NAME="tex2html85"
- HREF="node6.html">6 Plug-ins</A>
- <B> Up:</B> <A NAME="tex2html83"
- HREF="flowreplay.html">Flowreplay Design Notes</A>
- <B> Previous:</B> <A NAME="tex2html77"
- HREF="node4.html">4 Multiple Independent Flows</A></DIV>
- <!--End of Navigation Panel-->
- <ADDRESS>
- Aaron Turner
- 2005-08-07
- </ADDRESS>
- </BODY>
- </HTML>
|
