Great progress, Mike!
First, let's address the schema issue. As you've probably noticed, Drill's
original notion was that data needed no schema: the data itself provides
sufficient syntactic structure to let Drill infer schema. Also as you've
noticed, this assumption turned out to be more marketing enthusiasm than
technical reality. My favorite example is this JSON: {a: 1}{a: 1.2}. Drill
will fail: the first record has `a` as an integer, but the second value is
a float. By the second value, Drill has already allocated an integer
vector. As Charles has heard me say many times, "Drill cannot predict the
future." If the syntax is ambiguous, Drill may not do the right thing.
To address this, the team added the notion of a "provided schema", but
support is quite limited. There are two parts: planning and execution. At
execution time, a storage plugin can make use of a provided schema: the
JSON reader does so. To solve the ambiguous JSON example above, one
provides a schema that insists that `a` is a DOUBLE (say) regardless of
what the JSON text might suggest. Sounds like the XML parser needs to be
modified to make use of the provided schema. Here, again, there are two
parts. The "EVF" will handle the vector side of things. However, the parser
needs to know to expect the indicated type. That is, if a field `x` is
defined as a repeated DOUBLE (i.e. ARRAY<DOUBLE>), then the XML parser has
to understand that it will see multiple "x" elements one after another, and
to stick the values into the "x" array vector. I believe that Charles said
this functionality is missing.
We then turn to the other aspect of schema: planning. We'd like the planner
to know the schema so it can validate expressions at plan time. Currently,
Drill assumes that items have a "type to be named later", and makes some
light inferences. If you have SELECT a + b AS c, then we know that a, b and
c are numeric types, but we don't know which specific types they might be:
Drill works those out at run time. With a schema, we should assign types at
plan time, though I suppose Drill should work even without that aspect
(except that I'm sure someone will find a corner case that produces a
different result depending on whether we use the proper types at plan time.)
Another aspect is how the execution planner knows to include an included
schema in the JSON sent to the XML reader. My memory here is hazy: we have
something as demonstrated by the JSON reader. Presumably this same
technique can be used for XML. In particular, there is some JSON element
that holds the provided schema, and there is some way in the planner to
populate that element.
Another question is how Drill is made aware of the schema. This is another
area where Drill's features are somewhat incomplete. Originally, there was
a hidden JSON file in the target HDFS folder that could gather Parquet
metadata. Toward the end of the MapR era, the team added a metastore. The
Hive-based readers use the Hive metastore (HMS). Oddly, Drill cannot use
HMS for Drill's own native readers because of the issue mentioned at the
top: Drill was designed to not need a schema.
We can then ask, where would the Daffodil schemas reside? In a directory
somewhere? In a web service? In a "Daffodil metastore"? How does Daffodil
associate a schema with a file? Or, is that something that the user has to
do? The answer to this will determine how to integrate the Daffodil schema
with Drill.
Drill provides the ability to use table functions to provide extra
properties to a reader. Again, the details have become hazy, but the JSON
tests have examples, I believe. So, one solution is to convert the Daffodil
schema to the Drill schema, and have Drill read that file for each query.
Not very satisfying. Better would be to point Drill to the Daffodil schema,
and let Drill do the conversion. I don't believe we have such a mechanism
at present.
The ideal would be a unified concept of schema: a schema reader that
converts the schema to Drill format, and consistent planner and execution
use of that schema. You would just then need to create a "Daffodil schema
provider." Perhaps there is a way to leverage the metastore API to do this?
The final step would be to automate the association of files with Daffodil
schema: some kind of metastore or registry that says that "file foo.xml
uses schema pcap.dfdl" or whatever.
FWIW, Drill has the notion of a "strict" vs. "lenient" schema. A strict
schema says that the file must include only those fields in the schema. A
lenient schema says that the file may have additional fields, and those
fields use Drill's plain old data inference for those extras.
Sounds like the next three steps for you would be:
1. Extend the XML reader to use a provided schema.
2. Extend the XML reader to support arrays, as indicated by the schema.
3. Test the above using the query-time schema mechanism as demonstrated by
the schema-aware JSON reader tests.
Once that works, you can then move onto the plan-time issues.
Let's discuss the selection issues in a separate e-mail.
Thanks,
- Paul
On Fri, Aug 25, 2023 at 4:39 PM Mike Beckerle <mbecke...@apache.org> wrote:
> Below is a small JSON output from Daffodil and below that is the same
> Infoset output as XML.
> (They're inline in this message, but I also attached them as files)
>
> This is just a parse of a small PCAP file with a few ICMP packets in it.
> It's an example DFDL schema used to illustrate binary file parsing.
>
> (The schema is here https://github.com/DFDLSchemas/PCAP which uses this
> component schema: https://github.com/DFDLSchemas/ethernetIP)
>
> My theory is that Drill queries against these should be identical to
> obtain the same output row contents.
> That is, since this data has the same schema, whether it is JSON or XML
> shouldn't affect how you query it.
> To do that the XML Reader will need the XML schema (or some hand-provided
> metadata) so it knows what is an array. (Specifically PCAP.Packet is the
> array.)
>
> E.g., if you wanted to get the IPSrc and IPDest fields in a table from all
> ICMP packets in this file, that query should be the same for the JSON and
> the XML data.
>
> First question: Does that make sense? I want to make sure I'm
> understanding this right.
>
> Second question, since I don't really understand Drill SQL yet.
>
> What is a query that would pluck the IPSrc.value and IPDest.value from
> this data and make a row of each pair of those?
>
> The top level is a map with a single element named PCAP.
> The "table" is PCAP.Packet which is an array (of maps).
> And within each array item's map the fields of interest are within
> LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header
> (so maybe IPv4Header is the table?)
> The two fields within there are IPSrc.value (AS src) and IPDest.value (AS
> dest)
>
> I'm lost on how to tell the query that the table is the array PCAP.Packet,
> or the ....IPv4Header within those maybe?
>
> Maybe this is easy, but I'm just not grokking it yet so I could use some
> help here.
>
> Thanks in advance.
>
> {
> "PCAP": {
> "PCAPHeader": {
> "MagicNumber": "D4C3B2A1",
> "Version": {
> "Major": "2",
> "Minor": "4"
> },
> "Zone": "0",
> "SigFigs": "0",
> "SnapLen": "65535",
> "Network": "1"
> },
> "Packet": [
> {
> "PacketHeader": {
> "Seconds": "1371631556",
> "USeconds": "838904",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55107",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11123",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11123"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10844",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "8448",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631557",
> "USeconds": "55699",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30433",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35797",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35797"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12892",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "8448",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631557",
> "USeconds": "840049",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55110",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11120",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11120"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10588",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "8704",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631558",
> "USeconds": "44196",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30436",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35794",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35794"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12636",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "8704",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631558",
> "USeconds": "841168",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55113",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11117",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11117"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10332",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "8960",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631559",
> "USeconds": "85428",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30448",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35782",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35782"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12380",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "8960",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631559",
> "USeconds": "841775",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55118",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11112",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11112"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10076",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "9216",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631560",
> "USeconds": "42354",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30453",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35777",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35777"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12124",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "9216",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> }
> ]
> }
> }
>
> <?xml version="1.0" encoding="UTF-8"?>
> <tns:PCAP xmlns:tns="urn:pcap:2.4">
> <PCAPHeader>
> <MagicNumber>D4C3B2A1</MagicNumber>
> <Version>
> <Major>2</Major>
> <Minor>4</Minor>
> </Version>
> <Zone>0</Zone>
> <SigFigs>0</SigFigs>
> <SnapLen>65535</SnapLen>
> <Network>1</Network>
> </PCAPHeader>
> <Packet>
> <PacketHeader>
> <Seconds>1371631556</Seconds>
> <USeconds>838904</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55107</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11123</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11123</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10844</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>8448</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631557</Seconds>
> <USeconds>55699</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30433</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35797</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35797</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12892</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>8448</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631557</Seconds>
> <USeconds>840049</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55110</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11120</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11120</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10588</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>8704</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631558</Seconds>
> <USeconds>44196</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30436</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35794</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35794</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12636</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>8704</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631558</Seconds>
> <USeconds>841168</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55113</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11117</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11117</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10332</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>8960</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631559</Seconds>
> <USeconds>85428</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30448</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35782</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35782</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12380</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>8960</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631559</Seconds>
> <USeconds>841775</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55118</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11112</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11112</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10076</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>9216</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631560</Seconds>
> <USeconds>42354</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30453</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35777</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35777</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12124</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>9216</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> </tns:PCAP>
>
> Mike Beckerle
> Apache Daffodil PMC | daffodil.apache.org
> OGF DFDL Workgroup Co-Chair | www.ogf.org/ogf/doku.php/standards/dfdl/dfdl
> Owl Cyber Defense | www.owlcyberdefense.com
>
>
>
