Hi, I just had a look at CVS and noticed that you created an option to deeply inspect packets with PF_RING. I have some questions about it : 1) I saw that you use a state machine in order to do the string searching itself (acsm). However, the state machine only searches for one string. This is because of the line
if(pfr->acsm != NULL) acsmFree2(pfr->acsm); when setting a new string. Question is, if you are only searching for one string (you can technically search for as many strings as you like without much cost when using a state machine), why use a state machine rather than trivial memory matching? 2) If multiple instances of PF_RING captures are running, I believe that currently the packet would get fully scanned for each instance of PF_RING running. If you are already using a state machine, wouldn't it be better to use a shared state machine for all instances (add many strings to it), and then each packet would only be scanned once? 3) I believe it is quite costly to deep-inspect every packet for a certain pattern. Wouldn't it be better to incorporate the pattern-matching into a later part of the filtering process, for example after the packet passed a certain filter (for example, port 80 and a fixed position check that indicates that this is an HTTP GET command)? Did you do any performance testing to see how costly this is?
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
