Re: Proposed new pcap format

[Stephen Donnelly <stephen () endace com>]

Jefferson Ogata wrote:
> Something keeps bugging me, and I just want to throw it out there for 
> the mad dogs to tear into little bloody pieces:
>
> Given all the desirable options people are looking for in this, and the 
> need for future growth, I think we should seriously consider an 
> XML-based format. Besides making it easy, format-wise, to include many 
> optional features and types of metadata, programs could also embed 
> decoded frame and protocol information in appropriate elements, right 
> within the capture file.

> Yes, fully fledged decoded captures would use a lot of extra disk, but a 
> raw no-frills capture could be recorded with maybe only 50% or so overhead.

50% extra space and 50% extra disk bandwidth cost? So my 250 Megabyte per second 
pcap stream to disk becomes 375MB/s?

I'm not keen so far, although I understand the desire for flexibility. I think 
the file format needs to be as space efficient per record as possible. Extra 
information can still be carried in 'file headers', 'metadata packets', or 
attached to each packet record in *optional* metadata fields that can be omitted 
for space/speed.

Stephen.
--
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.