[
https://issues.apache.org/jira/browse/DRILL-5432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15981793#comment-15981793
]
Ted Dunning commented on DRILL-5432:
------------------------------------
The version in github is now working. Thanks for Charles for the mac address
code.
{code}
0: jdbc:drill:zk=local> select src_ip, count(1), sum(packet_length) from
dfs.`/Users/tdunning/Apache/drill-pcap-format/x.pcap` group by src_ip;
+------------------+---------+---------+
| src_ip | EXPR$1 | EXPR$2 |
+------------------+---------+---------+
| 10.0.1.5 | 24 | 3478 |
| 23.72.217.110 | 1 | 66 |
| 199.59.150.11 | 1 | 66 |
| 35.167.153.146 | 2 | 194 |
| 149.174.66.131 | 1 | 54 |
| 152.163.13.6 | 1 | 54 |
| 35.166.185.92 | 2 | 194 |
| 173.194.202.189 | 2 | 145 |
| 23.72.187.41 | 2 | 132 |
| 108.174.10.10 | 4 | 561 |
| 12.220.154.66 | 1 | 174 |
| 52.20.156.183 | 1 | 98 |
| 74.125.28.189 | 1 | 73 |
| 192.30.253.124 | 1 | 66 |
+------------------+---------+---------+
{code}
This is now up to the basic idea that we would like to have. The only major
thing missing is the ability to group by TCP stream. You can emulate that by
grouping by src_ip, dst_ip, src_port, dst_port, but we want something better.
Can somebody take a look at the code?
> Want a memory format for PCAP files
> -----------------------------------
>
> Key: DRILL-5432
> URL: https://issues.apache.org/jira/browse/DRILL-5432
> Project: Apache Drill
> Issue Type: New Feature
> Reporter: Ted Dunning
>
> PCAP files [1] are the de facto standard for storing network capture data. In
> security and protocol applications, it is very common to want to extract
> particular packets from a capture for further analysis.
> At a first level, it is desirable to query and filter by source and
> destination IP and port or by protocol. Beyond that, however, it would be
> very useful to be able to group packets by TCP session and eventually to look
> at packet contents. For now, however, the most critical requirement is that
> we should be able to scan captures at very high speed.
> I previously wrote a (kind of working) proof of concept for a PCAP decoder
> that did lazy deserialization and could traverse hundreds of MB of PCAP data
> per second per core. This compares to roughly 2-3 MB/s for widely available
> Apache-compatible open source PCAP decoders.
> This JIRA covers the integration and extension of that proof of concept as a
> Drill file format.
> Initial work is available at https://github.com/mapr-demos/drill-pcap-format
> [1] https://en.wikipedia.org/wiki/Pcap
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
