On Thu, Oct 4, 2012 at 3:42 PM, Markus Amend <[email protected]> wrote: > I think a pcap-indexer in netsniff-ng is missing. Netsniff-ng is a great > tool with a lot of performance in handling (especially in recording) network > traffic, but it's not performant to get the informations out of it. An > indexer could help to get informations faster especially when the same > network traffic is examined again and again. Also an intelligent search > instead of bpf is possible :-) > > We should think about hacking something like a pcap-indexer in the future.
Agreed. > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] Im > Auftrag von Daniel Borkmann > Gesendet: Donnerstag, 4. Oktober 2012 14:57 > An: [email protected] > Betreff: Re: [netsniff-ng] PCAP Indexing? > > On Thu, Oct 4, 2012 at 12:25 PM, Daniel Borkmann <[email protected]> > wrote: >> On Thu, Oct 4, 2012 at 12:22 PM, Daniel Borkmann <[email protected]> > wrote: >>> On Thu, Oct 4, 2012 at 1:49 AM, TOoSmOotH <[email protected]> wrote: >>>> Is it possible to index PCAP as it writes it to disk? I really like >>>> netsniff-ng as it scales well with high traffic but the downside to >>>> that is a lot of pcap. This means searching through the pcap takes a >>>> long time especially when there are lots of writes going on. >>> >>> Thanks for using netsniff-ng! >>> >>> Currently, there is no such a feature built-in. I agree that on huge >>> pcap files, searching through it might be a bit of a pain, even in >>> case of an efficient BPF filter for an offline analysis. There is >>> such as thing as pcapIndex [1], but from what I know seems to be > patented. >>> >>> [1] http://www.sigcomm.org/node/3230 >> >> Let me think about it and maybe in short till mid-term future we will >> come up with a solution. > > For now, maybe https://github.com/taterhead/PCAP-Index can be of help for > you. > > -- > > > > -- > > --
