Hej,
i recently stumbled upon this marvellous library and now i plan to build
an analysis tool which will be based on jNetPcap. This tool should
analyse and capture live traffic like Wireshark but with a slightly different focus.
(I don't want to build a second protocol dissector but focus more on the flow and session analysis.)
One requirement for this tool would be a relatively small memory footprint
but with the possibility to see the content of every captured packet on demand.
I.e. i don't want to store all the packets in the memory but nevertheless need fast access on every captured packet.
Now i wonder if there is any best practice how to achieve that.
The two possible solutions i encountered:
Receive, analyze every packet and then:
1. Store every packet immediately on the disc with the PcapDumper.dump() method and read this dump on demand (e.g. with the jNetStream-API) !?
or
2. Store the packets immediately on a DB and read on demand from the DB.
(-> this approach leads to further questions, like which DB to use, relational, OR, OO etc. )
Are there any other solutions? Has somebody tried something like this already?
I'm very happy for every feedback, hint, proposal, critique ...
Best regards
Philipp
I would suggest what Wireshark does.
1) dump all captured packets to a temporary file or break the capture into groups of files for easier indexing/access later on
2) Start your analyzer and analyze the captured files
3) Reread the temp files for access packet when needed after analysis
I think this will be the most scalable approach as long as your HDDs can keep up with the captured packet rates. Use Pcap.loop which takes the dumper directly. This will inkove the native pcap dumper to dump all packets to a file without going back and forth between native and java spaces.
In the future when jNetStream is integrated properly with jnetpcap as a addon module, you can use jnetstream to do random access on any pcap file, greatly simplifying the above. Although jNetStream random access works now and is released, the 2 projects won't be integrated for few more months.
Lastly, in jnetpcap 2.X the protocols will be released with both header dissectors and full protocol analyzers. I am working on the new design right now. You can look at the deprecated analyzers in 1.X branch, but don't rely on them for production. They are being replaced (Tcp/Ip analyzer)
for your fast and detailed response...