Re: Discuss: JSON and XML and Daffodil - same Infoset, same Query should create same rowset?

Fri, 25 Aug 2023 17:44:16 -0700 

Hi Mike,

You asked about how to work with nested data items. As noted in a previous
email, this can be a bit tricky. Drill uses SQL, and SQL does not have good
native support for structured data: it was designed in the 1970's for
record oriented data (tuples). Several attempts were made to extend SQL for
structured data, but they didn't really catch on. The one thing that seems
to have "stuck" are the JSON extensions: a field can be of a JSON type,
then you use various functions to work with the data nested within the
JSON. Not very satisfying, but it seems to work: Apache Druid went this
route, for example.

Drill provides the ability to reference a structured item, but doing so
implicitly projects that item to the top level. Suppose we want to display
statistics about packet length. We want only
Packet.LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header.Length:

SELECT
  LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header.Length AS Length
FROM ...

The above picks out the item you want (I'm supposing that all the layers
are simple maps), but it projects the item to the top level. There is no
syntax in SQL that lets us say, "pick out just that one item, but leave the
existing nested structure". That is, there is no way to say, "Within
IPV4Header, keep Length and IPSrc but skip all the others." Oddly, the EVF
code can do such a projection, but the instructions to do so must come from
the provided schema, not the SQL statement.

The second issue concerns the client using Drill. SQL clients know nothing
about structured data. You could not get Airflow or Tableau or Pandas to
understand the Packet and do anything useful with it: all SQL tools expect
a flattened record. (I'm sure some of these tools can work with data
encoded as JSON, so that is perhaps an option, though it has all manner of
issues.) Indeed, neither ODBC nor JDBC understand structured data. One
would have to use Drill's native API, which is not for the faint of heart.

So, a reasonable goal would be to use Drill to query structured data AND to
project that data into a flat record structure that the client can consume.
This is where you'd need the flatten operator, etc. We'd have to remember
that flattening works down one branch of a tree: one cannot flatten two or
more sibling arrays. Drill also supports lateral joins, which is the fancy
SQL way to express flattening.

You asked, "What is a query that would pluck the IPSrc.value and
IPDest.value from this data and make a row of each pair of those?"

SELECT
  LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header.IPSrc.value AS IPSrc,
  LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header.IPDest.value AS IPDest
FROM ...

Or:

SELECT
  header.IPSrc.value AS IPSrc,
  header.IPDest.value AS IPDest
FROM
  SELECT
    LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header AS header
  FROM ...

This gives you an output tuple with two columns: (IPSrc, IPDest).

Internally, Drill will notice that you don't want most of the maps and leaf
values. EVF will do the magic to discard them at scan time. A later project
operator will take the remaining rump maps and project the two remaining
values to the top level. Kinda confusing, but it should work.

Just a side comment: if the "value" fields of "IPSrc" and "IPDest" are just
a syntax convention, it would be handy to automatically trim away the
value, and instead treat IPSrc and IPDest as the scalar values. We do
something like this for the Mongo extended JSON types in the JSON reader.

Thanks,

- Paul



On Fri, Aug 25, 2023 at 4:39 PM Mike Beckerle <mbecke...@apache.org> wrote:

> Below is a small JSON output from Daffodil and below that is the same
> Infoset output as XML.
> (They're inline in this message, but I also attached them as files)
>
> This is just a parse of a small PCAP file with a few ICMP packets in it.
> It's an example DFDL schema used to illustrate binary file parsing.
>
> (The schema is here https://github.com/DFDLSchemas/PCAP which uses this
> component schema: https://github.com/DFDLSchemas/ethernetIP)
>
> My theory is that Drill queries against these should be identical to
> obtain the same output row contents.
> That is, since this data has the same schema, whether it is JSON or XML
> shouldn't affect how you query it.
> To do that the XML Reader will need the XML schema (or some hand-provided
> metadata) so it knows what is an array. (Specifically PCAP.Packet is the
> array.)
>
> E.g., if you wanted to get the IPSrc and IPDest fields in a table from all
> ICMP packets in this file, that query should be the same for the JSON and
> the XML data.
>
> First question: Does that make sense? I want to make sure I'm
> understanding this right.
>
> Second question, since I don't really understand Drill SQL yet.
>
> What is a query that would pluck the IPSrc.value and IPDest.value from
> this data and make a row of each pair of those?
>
> The top level is a map with a single element named PCAP.
> The "table" is PCAP.Packet which is an array (of maps).
> And within each array item's map the fields of interest are within
> LinkLayer.Ethernet.NetworkLayer.IPv4.IPv4Header
> (so maybe IPv4Header is the table?)
> The two fields within there are IPSrc.value (AS src) and IPDest.value (AS
> dest)
>
> I'm lost on how to tell the query that the table is the array PCAP.Packet,
> or the ....IPv4Header within those maybe?
>
> Maybe this is easy, but I'm just not grokking it yet so I could use some
> help here.
>
> Thanks in advance.
>
> {
> "PCAP": {
> "PCAPHeader": {
> "MagicNumber": "D4C3B2A1",
> "Version": {
> "Major": "2",
> "Minor": "4"
> },
> "Zone": "0",
> "SigFigs": "0",
> "SnapLen": "65535",
> "Network": "1"
> },
> "Packet": [
> {
> "PacketHeader": {
> "Seconds": "1371631556",
> "USeconds": "838904",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55107",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11123",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11123"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10844",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "8448",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631557",
> "USeconds": "55699",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30433",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35797",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35797"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12892",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "8448",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631557",
> "USeconds": "840049",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55110",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11120",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11120"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10588",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "8704",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631558",
> "USeconds": "44196",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30436",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35794",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35794"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12636",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "8704",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631558",
> "USeconds": "841168",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55113",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11117",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11117"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10332",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "8960",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631559",
> "USeconds": "85428",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30448",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35782",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35782"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12380",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "8960",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631559",
> "USeconds": "841775",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "005056E01449",
> "MACSrc": "000C29340BDE",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "55118",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "11112",
> "IPSrc": {
> "value": "192.168.158.139"
> },
> "IPDest": {
> "value": "174.137.42.77"
> },
> "ComputedChecksum": "11112"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "8",
> "Code": "0",
> "Checksum": "10076",
> "EchoRequest": {
> "Identifier": "512",
> "SequenceNumber": "9216",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> },
> {
> "PacketHeader": {
> "Seconds": "1371631560",
> "USeconds": "42354",
> "InclLen": "74",
> "OrigLen": "74"
> },
> "LinkLayer": {
> "Ethernet": {
> "MACDest": "000C29340BDE",
> "MACSrc": "005056E01449",
> "Ethertype": "2048",
> "NetworkLayer": {
> "IPv4": {
> "IPv4Header": {
> "Version": "4",
> "IHL": "5",
> "DSCP": "0",
> "ECN": "0",
> "Length": "60",
> "Identification": "30453",
> "Flags": "0",
> "FragmentOffset": "0",
> "TTL": "128",
> "Protocol": "1",
> "Checksum": "35777",
> "IPSrc": {
> "value": "174.137.42.77"
> },
> "IPDest": {
> "value": "192.168.158.139"
> },
> "ComputedChecksum": "35777"
> },
> "Protocol": "1",
> "ICMPv4": {
> "Type": "0",
> "Code": "0",
> "Checksum": "12124",
> "EchoReply": {
> "Identifier": "512",
> "SequenceNumber": "9216",
> "Payload":
> "6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869"
> }
> }
> }
> }
> }
> }
> }
> ]
> }
> }
>
> <?xml version="1.0" encoding="UTF-8"?>
> <tns:PCAP xmlns:tns="urn:pcap:2.4">
> <PCAPHeader>
> <MagicNumber>D4C3B2A1</MagicNumber>
> <Version>
> <Major>2</Major>
> <Minor>4</Minor>
> </Version>
> <Zone>0</Zone>
> <SigFigs>0</SigFigs>
> <SnapLen>65535</SnapLen>
> <Network>1</Network>
> </PCAPHeader>
> <Packet>
> <PacketHeader>
> <Seconds>1371631556</Seconds>
> <USeconds>838904</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55107</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11123</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11123</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10844</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>8448</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631557</Seconds>
> <USeconds>55699</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30433</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35797</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35797</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12892</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>8448</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631557</Seconds>
> <USeconds>840049</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55110</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11120</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11120</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10588</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>8704</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631558</Seconds>
> <USeconds>44196</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30436</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35794</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35794</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12636</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>8704</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631558</Seconds>
> <USeconds>841168</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55113</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11117</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11117</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10332</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>8960</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631559</Seconds>
> <USeconds>85428</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30448</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35782</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35782</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12380</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>8960</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631559</Seconds>
> <USeconds>841775</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>005056E01449</MACDest>
> <MACSrc>000C29340BDE</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>55118</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>11112</Checksum>
> <IPSrc>
> <value>192.168.158.139</value>
> </IPSrc>
> <IPDest>
> <value>174.137.42.77</value>
> </IPDest>
> <ComputedChecksum>11112</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>8</Type>
> <Code>0</Code>
> <Checksum>10076</Checksum>
> <EchoRequest>
> <Identifier>512</Identifier>
> <SequenceNumber>9216</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoRequest>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> <Packet>
> <PacketHeader>
> <Seconds>1371631560</Seconds>
> <USeconds>42354</USeconds>
> <InclLen>74</InclLen>
> <OrigLen>74</OrigLen>
> </PacketHeader>
> <LinkLayer>
> <Ethernet>
> <MACDest>000C29340BDE</MACDest>
> <MACSrc>005056E01449</MACSrc>
> <Ethertype>2048</Ethertype>
> <NetworkLayer>
> <IPv4>
> <IPv4Header>
> <Version>4</Version>
> <IHL>5</IHL>
> <DSCP>0</DSCP>
> <ECN>0</ECN>
> <Length>60</Length>
> <Identification>30453</Identification>
> <Flags>0</Flags>
> <FragmentOffset>0</FragmentOffset>
> <TTL>128</TTL>
> <Protocol>1</Protocol>
> <Checksum>35777</Checksum>
> <IPSrc>
> <value>174.137.42.77</value>
> </IPSrc>
> <IPDest>
> <value>192.168.158.139</value>
> </IPDest>
> <ComputedChecksum>35777</ComputedChecksum>
> </IPv4Header>
> <Protocol>1</Protocol>
> <ICMPv4>
> <Type>0</Type>
> <Code>0</Code>
> <Checksum>12124</Checksum>
> <EchoReply>
> <Identifier>512</Identifier>
> <SequenceNumber>9216</SequenceNumber>
> <Payload>6162636465666768696A6B6C6D6E6F7071727374757677616263646566676869
> </Payload>
> </EchoReply>
> </ICMPv4>
> </IPv4>
> </NetworkLayer>
> </Ethernet>
> </LinkLayer>
> </Packet>
> </tns:PCAP>
>
> Mike Beckerle
> Apache Daffodil PMC | daffodil.apache.org
> OGF DFDL Workgroup Co-Chair | www.ogf.org/ogf/doku.php/standards/dfdl/dfdl
> Owl Cyber Defense | www.owlcyberdefense.com
>
>
>

Reply via email to