I think a pcap-indexer in netsniff-ng is missing. Netsniff-ng is a great tool with a lot of performance in handling (especially in recording) network traffic, but it's not performant to get the informations out of it. An indexer could help to get informations faster especially when the same network traffic is examined again and again. Also an intelligent search instead of bpf is possible :-)
We should think about hacking something like a pcap-indexer in the future. -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Daniel Borkmann Gesendet: Donnerstag, 4. Oktober 2012 14:57 An: [email protected] Betreff: Re: [netsniff-ng] PCAP Indexing? On Thu, Oct 4, 2012 at 12:25 PM, Daniel Borkmann <[email protected]> wrote: > On Thu, Oct 4, 2012 at 12:22 PM, Daniel Borkmann <[email protected]> wrote: >> On Thu, Oct 4, 2012 at 1:49 AM, TOoSmOotH <[email protected]> wrote: >>> Is it possible to index PCAP as it writes it to disk? I really like >>> netsniff-ng as it scales well with high traffic but the downside to >>> that is a lot of pcap. This means searching through the pcap takes a >>> long time especially when there are lots of writes going on. >> >> Thanks for using netsniff-ng! >> >> Currently, there is no such a feature built-in. I agree that on huge >> pcap files, searching through it might be a bit of a pain, even in >> case of an efficient BPF filter for an offline analysis. There is >> such as thing as pcapIndex [1], but from what I know seems to be patented. >> >> [1] http://www.sigcomm.org/node/3230 > > Let me think about it and maybe in short till mid-term future we will > come up with a solution. For now, maybe https://github.com/taterhead/PCAP-Index can be of help for you. -- --
