Re: [Sipping] Alternate CLF syntax proposal
Theo Zourzouvillys <theo@crazygreek.co.uk> Tue, 31 March 2009 17:32 UTC
Return-Path: <theo@crazygreek.co.uk>
X-Original-To: sipping@core3.amsl.com
Delivered-To: sipping@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A393A6DA6 for <sipping@core3.amsl.com>; Tue, 31 Mar 2009 10:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.835
X-Spam-Level:
X-Spam-Status: No, score=-5.835 tagged_above=-999 required=5 tests=[AWL=0.142, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaM-w0GGN9ND for <sipping@core3.amsl.com>; Tue, 31 Mar 2009 10:32:41 -0700 (PDT)
Received: from exprod7og124.obsmtp.com (exprod7og124.obsmtp.com [64.18.2.26]) by core3.amsl.com (Postfix) with SMTP id 4DEEA3A6811 for <sipping@ietf.org>; Tue, 31 Mar 2009 10:32:37 -0700 (PDT)
Received: from source ([72.14.220.153]) by exprod7ob124.postini.com ([64.18.6.12]) with SMTP ID DSNKSdJT8LZbt9mKfsw3jXlWvu8yng0lAcPs@postini.com; Tue, 31 Mar 2009 10:33:37 PDT
Received: by fg-out-1718.google.com with SMTP id e12so53968fga.17 for <sipping@ietf.org>; Tue, 31 Mar 2009 10:33:35 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC31503229BAE@mail>
References: <49CAE21C.5060309@nostrum.com> <c164605b0903260836p45a8bd8eg9ad50f670ef82302@mail.gmail.com> <167dfb9b0903290326t519e6df8naacdb396a259f8f2@mail.gmail.com> <49CFCD7B.5020304@iptel.org> <167dfb9b0903291950s17559a41s6a8ab01cee1e3650@mail.gmail.com> <E6C2E8958BA59A4FB960963D475F7AC31503229BAE@mail>
Date: Tue, 31 Mar 2009 18:33:20 +0100
Received: by 10.86.78.13 with SMTP id a13mr2601406fgb.67.1238520815171; Tue, 31 Mar 2009 10:33:35 -0700 (PDT)
Message-ID: <167dfb9b0903311033k4f26ac97gdca11986d074b9ce@mail.gmail.com>
From: Theo Zourzouvillys <theo@crazygreek.co.uk>
To: Hadriel Kaplan <HKaplan@acmepacket.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Jason Fischl <jason.fischl@gmail.com>, sipping WG <sipping@ietf.org>, "draft-gurbani-sipping-clf@tools.ietf.org" <draft-gurbani-sipping-clf@tools.ietf.org>, Adam Roach <adam@nostrum.com>
Subject: Re: [Sipping] Alternate CLF syntax proposal
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipping>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 17:32:42 -0000
On Tue, Mar 31, 2009 at 5:42 PM, Hadriel Kaplan <HKaplan@acmepacket.com> wrote: > That depends on what you think a "Common Log Format" would be useful for. The premise was that it's for troubleshooting and analysis systems. AFAICT, nothing short of the entire SIP message sequence, including contents, and even IP/UDP or TCP headers, would be sufficient for that in practice. i think perhaps what i'm, after isn't "common log format", and instead a "distributed event exporter/collector API" for network monitoring and Complex Event Processing systems, and is almost certainly a totally separate thing to be tackled another day :-) > But anyway, attached is an example CLF file using only the currently defined fields from draft-gurbani-sipping-clf-01, I think, encoded in a different format from the draft. The problem is this isn't really any different to the plain text format, except it includes an initial packet length header and thus you can skip over the whole record easily. You still need to parse the contents of the pacp record to match any information such as a specific via header or to tag. One thing that is nice about a fixed format like adam's is you can convert an input criteria filter into a set of opcodes that you can then further compile into local machine code to scan through in a very, very efficient way, similar to how packet capturing in the kernel or tcpdump (i.e, -dd) works. saying that, i do prefer pcap over the plain text method... ~ Theo Kaplan
- [Sipping] Alternate CLF syntax proposal Adam Roach
- Re: [Sipping] Alternate CLF syntax proposal Vijay K. Gurbani
- Re: [Sipping] Alternate CLF syntax proposal Jason Fischl
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Theo Zourzouvillys
- Re: [Sipping] Alternate CLF syntax proposal Jiri Kuthan
- Re: [Sipping] Alternate CLF syntax proposal Theo Zourzouvillys
- Re: [Sipping] Alternate CLF syntax proposal Cullen Jennings
- Re: [Sipping] Alternate CLF syntax proposal Daryl Malas
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Theo Zourzouvillys
- Re: [Sipping] Alternate CLF syntax proposal Hisham Khartabil
- Re: [Sipping] Alternate CLF syntax proposal Vijay Gurbani
- Re: [Sipping] Alternate CLF syntax proposal Dale Worley
- Re: [Sipping] Alternate CLF syntax proposal Adam Roach
- Re: [Sipping] Alternate CLF syntax proposal Adam Roach