[Coral-dev] binary output format for crl_flow
Chris Rapier
rapier at psc.edu
Tue Jun 17 17:54:59 PDT 2003
I have an application that uses crl_flow to parse incoming pcap data off of a
GigE link. At this point I'm using perl to manipulate the flowdata to do some
topology work. I also use the same flowdata to do some security work based on
flow frequencies, anomolies, and other factors. This security work is being
handled by a perl routine which, under normal conditions, is ponderous and slow.
Which it encounters things large numbers of spoofs, smurfs attacks or anything
which drives the total number of IPs up it ends up trashing the machine. So I've
been working on porting it to C and using more compact data structures and so
forth. Which sort of makes use a perl API somewhat counter to my goal. I could
use atoi to do everything but that strikes me a singularly inelegant which is
why I was hoping to get more information on the format. I'm thinking that the
flow structure irself is 56 bytes in length but things aren't lining up properly.
Ryan Koga wrote:
> On Tue, 17 Jun 2003, Chris Rapier wrote:
>
>
>>Right, well, nevermind then. I'll try to suss it out on my own.
>
>
> Out of curiosity, why do you want this? If you're looking to, say, read it
> with a C++ app, or do something else that makes using the Perl libraries
> unfeasible, I'd like to know, so as to potentially add features in the
> future.
>
> Also, the binary format can change between revisions (as we find new things
> to add, or optimize something away), which is why we try to offer the
> libraries to read it.
> --
> rkoga at caida.org (Ryan Koga)
More information about the Coral-dev
mailing list