Re: [Sipping] Alternate CLF syntax proposal
Adam Roach <adam@nostrum.com> Wed, 15 April 2009 15:07 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: sipping@core3.amsl.com
Delivered-To: sipping@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8EA63A69CF for <sipping@core3.amsl.com>; Wed, 15 Apr 2009 08:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.584
X-Spam-Level:
X-Spam-Status: No, score=-2.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, HTML_MESSAGE=0.001, SPF_PASS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9XjkttBfg4i for <sipping@core3.amsl.com>; Wed, 15 Apr 2009 08:07:22 -0700 (PDT)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 6FEB93A6945 for <sipping@ietf.org>; Wed, 15 Apr 2009 08:07:21 -0700 (PDT)
Received: from [172.16.3.231] (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id n3FF8LOo068657 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Apr 2009 10:08:21 -0500 (CDT) (envelope-from adam@nostrum.com)
Message-ID: <49E5F865.10304@nostrum.com>
Date: Wed, 15 Apr 2009 10:08:21 -0500
From: Adam Roach <adam@nostrum.com>
User-Agent: Postbox 1.0b10 (Macintosh/2009032714)
MIME-Version: 1.0
To: Theo Zourzouvillys <theo@crazygreek.co.uk>
References: <49CAE21C.5060309@nostrum.com> <c164605b0903260836p45a8bd8eg9ad50f670ef82302@mail.gmail.com> <167dfb9b0903290326t519e6df8naacdb396a259f8f2@mail.gmail.com> <49CFCD7B.5020304@iptel.org> <167dfb9b0903291950s17559a41s6a8ab01cee1e3650@mail.gmail.com> <E6C2E8958BA59A4FB960963D475F7AC31503229BAE@mail> <167dfb9b0903311033k4f26ac97gdca11986d074b9ce@mail.gmail.com>
In-Reply-To: <167dfb9b0903311033k4f26ac97gdca11986d074b9ce@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010906070501060702010009"
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: Jason Fischl <jason.fischl@gmail.com>, sipping WG <sipping@ietf.org>, "draft-gurbani-sipping-clf@tools.ietf.org" <draft-gurbani-sipping-clf@tools.ietf.org>
Subject: Re: [Sipping] Alternate CLF syntax proposal
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipping>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 15:07:22 -0000
Theo Zourzouvillys wrote: > On Tue, Mar 31, 2009 at 5:42 PM, Hadriel Kaplan<HKaplan@acmepacket.com> wrote: > >> But anyway, attached is an example CLF file using only the currently defined fields from draft-gurbani-sipping-clf-01, I think, encoded in a different format from the draft. >> > > The problem is this isn't really any different to the plain text > format, except it includes an initial packet length header and thus > you can skip over the whole record easily. You still need to parse > the contents of the pacp record to match any information such as a > specific via header or to tag. Precisely. Using PCAP captures straight up makes pretty much all of the problems that I'm trying to solve worse instead of better. You still need to dredge through long records to find the fields that you're filtering on, but now the records are entire SIP messages instead of extracted data. Instead of taking the time to find records of interest from o(m) to o(0.3m), you've INCREASED it to o(n), where n >> m. I'll point out that my proposal incorporates the ability to include entire SIP messages, if necessary (with the decision about whether to include the message possible on a record-by-record basis), so you can retain any debugging ability you have with PCAP -- but you get fast indexing, and the ability to store meta-information that appears in neither PCAP headers nor in the SIP message itself. /a
- [Sipping] Alternate CLF syntax proposal Adam Roach
- Re: [Sipping] Alternate CLF syntax proposal Vijay K. Gurbani
- Re: [Sipping] Alternate CLF syntax proposal Jason Fischl
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Theo Zourzouvillys
- Re: [Sipping] Alternate CLF syntax proposal Jiri Kuthan
- Re: [Sipping] Alternate CLF syntax proposal Theo Zourzouvillys
- Re: [Sipping] Alternate CLF syntax proposal Cullen Jennings
- Re: [Sipping] Alternate CLF syntax proposal Daryl Malas
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Hadriel Kaplan
- Re: [Sipping] Alternate CLF syntax proposal Theo Zourzouvillys
- Re: [Sipping] Alternate CLF syntax proposal Hisham Khartabil
- Re: [Sipping] Alternate CLF syntax proposal Vijay Gurbani
- Re: [Sipping] Alternate CLF syntax proposal Dale Worley
- Re: [Sipping] Alternate CLF syntax proposal Adam Roach
- Re: [Sipping] Alternate CLF syntax proposal Adam Roach