[NETFRAME] Net::Packet::Dump / Net::Frame::Dump::Online - Concurrent Simultaneous Capture Limit?
Darien Kindlund
darien at kindlund.com
Mon Jun 15 23:30:20 CEST 2009
On Thu, Jun 11, 2009 at 12:26 PM, Darien Kindlund<darien at kindlund.com> wrote:
>> Or capture the traffic via a straight tcpdump session and write it to
>> a pcap file, then process it offline.
>
> The problem is: I need this processing in close-to-realtime as possible.
>
>> /usr/sbin/tcpdump -r $OLDSNIFF -w synonlysniffs/$NEWSNIFF
>> 'tcp[tcpflags] & (tcp-syn|tcp-fin) !=0'
>
> Yeah, I see your point, but here are the issues with this approach:
<snip>
Ironically, I ended up just calling tcpdump inside forked processes...
and it ended up using less resources than the Net::Frame::Dump::Online
equivalent. Granted, I still use Net::Frame::Dump::Offline to parse
the data, but for raw packet captures, forking actually turned out to
be less expensive!
Here's a copy of the final code, in case anyone's wondering:
http://www.honeyclient.org/trac/browser/honeyclient/branches/exp/kindlund-amqp/lib/HoneyClient/Manager/Pcap.pm
-- Darien
More information about the netframe
mailing list