Right now cxtracker supports it but I can't get the same performance out of cxtracker as I do with netsniff when it comes to full packet capture on high speed links. I can use another process to do it but then I am putting some hurt on the IO which makes the most sense to do it as its written. :) Let me know if you all move forward with something as I would be glad to test it for you. I have several multi-gig sensors running netsniff today for FPC.
Thanks!! On Thursday, October 4, 2012 9:42:12 AM UTC-4, Markus Amend wrote: > > I think a pcap-indexer in netsniff-ng is missing. Netsniff-ng is a great > tool with a lot of performance in handling (especially in recording) > network > traffic, but it's not performant to get the informations out of it. An > indexer could help to get informations faster especially when the same > network traffic is examined again and again. Also an intelligent search > instead of bpf is possible :-) > > We should think about hacking something like a pcap-indexer in the future. > > -----Ursprüngliche Nachricht----- > Von: [email protected] <javascript:> [mailto: > [email protected] <javascript:>] Im > Auftrag von Daniel Borkmann > Gesendet: Donnerstag, 4. Oktober 2012 14:57 > An: [email protected] <javascript:> > Betreff: Re: [netsniff-ng] PCAP Indexing? > > On Thu, Oct 4, 2012 at 12:25 PM, Daniel Borkmann > <[email protected]<javascript:>> > > wrote: > > On Thu, Oct 4, 2012 at 12:22 PM, Daniel Borkmann > > <[email protected]<javascript:>> > > wrote: > >> On Thu, Oct 4, 2012 at 1:49 AM, TOoSmOotH <[email protected]<javascript:>> > wrote: > >>> Is it possible to index PCAP as it writes it to disk? I really like > >>> netsniff-ng as it scales well with high traffic but the downside to > >>> that is a lot of pcap. This means searching through the pcap takes a > >>> long time especially when there are lots of writes going on. > >> > >> Thanks for using netsniff-ng! > >> > >> Currently, there is no such a feature built-in. I agree that on huge > >> pcap files, searching through it might be a bit of a pain, even in > >> case of an efficient BPF filter for an offline analysis. There is > >> such as thing as pcapIndex [1], but from what I know seems to be > patented. > >> > >> [1] http://www.sigcomm.org/node/3230 > > > > Let me think about it and maybe in short till mid-term future we will > > come up with a solution. > > For now, maybe https://github.com/taterhead/PCAP-Index can be of help for > you. > > -- > > > > --
