Perhaps this is a case of "premature optimization". I am working toward a
continuous packet capture application (as in Infinistream, Gigastor,
NetVCR, etc). So far, I have two perl scripts. One takes Net::Pcap output
and Hexdumps it to a fifo "file". The other reads the fifo and inserts the
hexdump into a database table.
This is all well and good, but when I tried to dump the pcap output
directly into the fifo and convert to hex as the fifo was read things got
ugly. So now I am considering rewriting the whole thing in POE.
I want some kind of buffer between pcap and the database inserts to reduce
the chance of dropped packets. It seems to me that the "process" that has
the pcap session should have a higher priority than the db insert
"process".
Is POE the way to go? Are there existing examples of POE code that does
something similar?
Thanks for your interest,
Jon Polacheck
Used mkfifo to create the named pipe. Perl sees it as a disk file
(that I called qtfifo). ENQUE.pl dumps packet hexdumps to the fifo.
DEQUE.pl reads lines from the fifo. /^0000 / acts as the delimiter. mysql
compression worked with the standard OpenSuSE install, no recompiling or
other mucking about necessary.
Lines used for debugging marked as such.
ENQUE.pl
use Net::Pcap;
use Data::Hexdumper qw(hexdump);
$dev = "eth0";
# used a 50 packet cap file to make sure what came out matched what went in
#$dump = "ip.cap";
#$pcap = Net::Pcap::open_offline($dump, \$err) or die "Can't read
'$dump': $err\n";
# live, real-time feed
$pcap = Net::Pcap::open_live($dev, 1514, 1, 0, \$err);
Net::Pcap::loop($pcap, -1, \&process_pkt, ""); # <- subroutine call
sub process_pkt {
open(QT, "> qtfifo");
# $_[2] is the third element of the default array "@_" which was created
# by the subroutine call "&process_pkt"
my $pkt=$_[2];
$results = hexdump( data => $pkt
, number_format => 'C',
);
print QT $results;
close(QT);
$i++; # debug
&stop_run if $i > 100; #debug
}
# all debug below
sub stop_run {
print "stop_run\n";
open(QT, "> qtfifo");
print QT "\nx\n";
close(QT);
print "enque ended\n";
exit;
}
DEQUE.pl
use Time::HiRes ( nanosleep );
use DBI;
$hostname="127.0.0.1";
$database="cpc";
$port="3306";
$dsn = "DBI:mysql:database=$database;host=$hostname;port=$port";
$dbh = DBI->connect($dsn,
"root",
"",
{'RaiseError' => 1});
# call the Net::Packet collector script
system(q{perl ENQUE.pl&});
open(EQT, " < qtfifo");
$i = 0; # debug
$pc = 0; # debug
while(1) {
$i++; # debug
$line = readline(EQT);
if ($line =~ /^0000 / ) {
$dbh->do(qq{INSERT INTO cpc VALUES ( compress("$pkt"))});
$pc++ if defined($pkt); # debug
print "packet $pc:\n$pkt\n" if defined($pkt); # debug
undef($pkt);
$pkt .= $line;
} else {
$pkt .= $line;
&theend if $pkt =~ /x/; # debug
}
nanosleep(1); # would not work without this!
}
# all debug below
sub theend {
close(EQT);
print "$i loops\ndeque ended\n";
exit;
}
This generated a cap file that looks just fine in Wireshark.
mysql -Br -D cpc -e "select uncompress(packet) from cpc;" | text2pcap -
m_cap.cap
