node5.html 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
  2. <!--Converted with LaTeX2HTML 2002-2 (1.70)
  3. original version by: Nikos Drakos, CBLU, University of Leeds
  4. * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
  5. * with significant contributions from:
  6. Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
  7. <HTML>
  8. <HEAD>
  9. <TITLE>5 pcap vs flow File Format</TITLE>
  10. <META NAME="description" CONTENT="5 pcap vs flow File Format">
  11. <META NAME="keywords" CONTENT="flowreplay">
  12. <META NAME="resource-type" CONTENT="document">
  13. <META NAME="distribution" CONTENT="global">
  14. <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
  15. <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2">
  16. <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
  17. <LINK REL="STYLESHEET" HREF="flowreplay.css">
  18. <LINK REL="next" HREF="node6.html">
  19. <LINK REL="previous" HREF="node4.html">
  20. <LINK REL="up" HREF="flowreplay.html">
  21. <LINK REL="next" HREF="node6.html">
  22. </HEAD>
  23. <BODY >
  24. <DIV CLASS="navigation"><!--Navigation Panel-->
  25. <A NAME="tex2html84"
  26. HREF="node6.html">
  27. <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
  28. <A NAME="tex2html82"
  29. HREF="flowreplay.html">
  30. <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
  31. <A NAME="tex2html76"
  32. HREF="node4.html">
  33. <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
  34. <BR>
  35. <B> Next:</B> <A NAME="tex2html85"
  36. HREF="node6.html">6 Plug-ins</A>
  37. <B> Up:</B> <A NAME="tex2html83"
  38. HREF="flowreplay.html">Flowreplay Design Notes</A>
  39. <B> Previous:</B> <A NAME="tex2html77"
  40. HREF="node4.html">4 Multiple Independent Flows</A>
  41. <BR>
  42. <BR></DIV>
  43. <!--End of Navigation Panel-->
  44. <H1><A NAME="SECTION00050000000000000000">
  45. <SPAN CLASS="arabic">5</SPAN> <SPAN ID="hue251">pcap vs flow File Format</SPAN></A>
  46. </H1>
  47. <P>
  48. <SPAN ID="hue253">As stated before, the pcap file format really isn't
  49. well suited for flowreplay because it uses the raw packet as a container
  50. for data. Flowreplay however isn't interested in packets, it's interested
  51. in data streams</SPAN><A NAME="tex2html8"
  52. HREF="#foot405"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A> <SPAN ID="hue257">which may span one or more TCP/UDP segments, each
  53. comprised of an IP datagram which may be comprised of multiple IP
  54. fragments. Handling all this additional complexity requires a full
  55. TCP/IP stack in user space which would have additional feature requirements
  56. specific to flowreplay.</SPAN>
  57. <P>
  58. <SPAN ID="hue259">Rather then trying to do that, I've decided to create
  59. a pcap preprocessor for flowreplay called: flowprep. Flowprep will
  60. handle all the TCP/IP defragmentation/reassembly and write out a file
  61. containing the data streams for each flow.</SPAN>
  62. <P>
  63. <SPAN ID="hue261">A flow file will contain three sections:</SPAN>
  64. <P>
  65. <OL>
  66. <LI><SPAN ID="hue264">A header which identifies this as a flowprep file
  67. and the file version</SPAN>
  68. </LI>
  69. <LI><SPAN ID="hue266">An index of all the flows contained in the file</SPAN>
  70. </LI>
  71. <LI><SPAN ID="hue268">The data streams themselves</SPAN>
  72. </LI>
  73. </OL>
  74. <DIV ALIGN="CENTER">
  75. <SPAN ID="hue391"><IMG
  76. WIDTH="668" HEIGHT="748" ALIGN="BOTTOM" BORDER="0"
  77. SRC="img1.png"
  78. ALT="\includegraphics{flowheader}"></SPAN></DIV>
  79. <P>
  80. <DIV ALIGN="CENTER">
  81. </DIV>
  82. <P>
  83. <SPAN ID="hue275">At startup, the file header is validated and the
  84. data stream indexes are loaded into memory. Then the first data stream
  85. header from each flow is read. Then each flow and subsequent data
  86. stream is processed based upon the timestamps and plug-ins.</SPAN>
  87. <P>
  88. <BR><HR><H4>Footnotes</H4>
  89. <DL>
  90. <DT><A NAME="foot405">...&nbsp;</A><A
  91. HREF="node5.html#tex2html8"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A></DT>
  92. <DD><SPAN ID="hue390">A ``data stream'' as I call it is a simplex
  93. communication from the client or server which is a complete query,
  94. response or message.</SPAN>
  95. </DD>
  96. </DL>
  97. <DIV CLASS="navigation"><HR>
  98. <!--Navigation Panel-->
  99. <A NAME="tex2html84"
  100. HREF="node6.html">
  101. <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
  102. <A NAME="tex2html82"
  103. HREF="flowreplay.html">
  104. <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
  105. <A NAME="tex2html76"
  106. HREF="node4.html">
  107. <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
  108. <BR>
  109. <B> Next:</B> <A NAME="tex2html85"
  110. HREF="node6.html">6 Plug-ins</A>
  111. <B> Up:</B> <A NAME="tex2html83"
  112. HREF="flowreplay.html">Flowreplay Design Notes</A>
  113. <B> Previous:</B> <A NAME="tex2html77"
  114. HREF="node4.html">4 Multiple Independent Flows</A></DIV>
  115. <!--End of Navigation Panel-->
  116. <ADDRESS>
  117. Aaron Turner
  118. 2006-07-17
  119. </ADDRESS>
  120. </BODY>
  121. </HTML>