Ted Dunning created DRILL-5432:
----------------------------------
Summary: Want a memory format for PCAP files
Key: DRILL-5432
URL: https://issues.apache.org/jira/browse/DRILL-5432
Project: Apache Drill
Issue Type: New Feature
Reporter: Ted Dunning
PCAP files [1] are the de facto standard for storing network capture data. In
security and protocol applications, it is very common to want to extract
particular packets from a capture for further analysis.
At a first level, it is desirable to query and filter by source and destination
IP and port or by protocol. Beyond that, however, it would be very useful to be
able to group packets by TCP session and eventually to look at packet contents.
For now, however, the most critical requirement is that we should be able to
scan captures at very high speed.
I previously wrote a (kind of working) proof of concept for a PCAP decoder that
did lazy deserialization and could traverse hundreds of MB of PCAP data per
second per core. This compares to roughly 2-3 MB/s for widely available
Apache-compatible open source PCAP decoders.
This JIRA covers the integration and extension of that proof of concept as a
Drill file format.
Initial work is available at https://github.com/mapr-demos/pcap-query
[1] https://en.wikipedia.org/wiki/Pcap
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
