IETF Logo Mail Archive

Re: [Sipping] Alternate CLF syntax proposal

Hadriel Kaplan <HKaplan@acmepacket.com> Thu, 26 March 2009 19:55 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sipping@core3.amsl.com
Delivered-To: sipping@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BEC13A6C5D for <sipping@core3.amsl.com>; Thu, 26 Mar 2009 12:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.534
X-Spam-Level:
X-Spam-Status: No, score=-2.534 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jW3Wm4Kj1QWf for <sipping@core3.amsl.com>; Thu, 26 Mar 2009 12:55:56 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 1D0CA3A68AF for <sipping@ietf.org>; Thu, 26 Mar 2009 12:55:56 -0700 (PDT)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 26 Mar 2009 15:56:49 -0400
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Thu, 26 Mar 2009 15:56:48 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>, Adam Roach <adam@nostrum.com>
Date: Thu, 26 Mar 2009 15:56:51 -0400
Thread-Topic: [Sipping] Alternate CLF syntax proposal
Thread-Index: AcmtvsBAO+EtOfggRKyHnd1ewtyytwAhzy3Q
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC314FEBFF676@mail>
References: <49CAE21C.5060309@nostrum.com> <49CAEF3B.40309@alcatel-lucent.com>
In-Reply-To: <49CAEF3B.40309@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: sipping WG <sipping@ietf.org>, "draft-gurbani-sipping-clf@tools.ietf.org" <draft-gurbani-sipping-clf@tools.ietf.org>
Subject: Re: [Sipping] Alternate CLF syntax proposal
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipping>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2009 19:55:57 -0000

If the purpose of it is troubleshooting, or threat analysis type stuff, I think the following format satisfies the needs as well:
http://wiki.wireshark.org/Development/LibpcapFileFormat

The advantages:
1) There's running code
2) There's open source, on all operating systems, and also for commercial use
3) It's used by many people
4) There are many tools which accept/process it
5) It's fast to write/save
6) It supports a sub-second timestamp
7) It supports length encoding of packets, so you can skip past them
8) It supports truncated saving of packets, so you don't have to save all of very big ones 
9) It records the method name or response code very early in the saved log entry for each packet

Disadvantages:
1) Nothing much new to specify, except to document it? 
2) It's a little tricky for SIP/TLS, where you basically have to create fake segments/packets for the low layers, and same may be true for SIP/TCP depending on when you record the log
3) It doesn't provide a way to report internal system events/actions/info (although we could fix that)
4) Afaik, there is no specific remote push/streaming mechanism for it defined (there was an attempt at it, but not final)

-hadriel

> -----Original Message-----
> From: sipping-bounces@ietf.org [mailto:sipping-bounces@ietf.org] On Behalf
> Of Vijay K. Gurbani
> Sent: Wednesday, March 25, 2009 10:58 PM
> 
> Adam Roach wrote:
> > In the spirit of "send text," I've put together a straw-man proposal for
> > an easy-to-generate and fast-to-process extensible format for saving SIP
> > log messages:
> >
> > http://www.ietf.org/internet-drafts/draft-roach-sipping-clf-syntax-
> 00.txt
> [...]
> 
> Adam: Essentially you are advocating for a table-of-content
> type of approach where you read the ToC and index straight
> to where you want to go.  I have worked on SIP parsers
> designed this way.
> 
> The parsing is optimized, yes, when compared to the ASCII
> version -- though perl can do wonders, but not to outperform
> binary parsing.  The disadvantage is that you loose readability
> and would need specialized tools to, say, grep through such
> a file.
> 
> It will be interesting to see what others think...
> 
> Thanks,
> 
> - vijay
> --
> Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
> 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
> Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
> Web:   http://ect.bell-labs.com/who/vkg/
> _______________________________________________
> Sipping mailing list  https://www.ietf.org/mailman/listinfo/sipping
> This list is for NEW development of the application of SIP
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sip@ietf.org for new developments of core SIP

v2.23.0 | Report a Bug | By Email