Re: Alternate CLF syntax proposal

Adam Roach <adam@xxxxxxxxxxx> · Wed, 15 Apr 2009 10:08:21 -0500

Theo Zourzouvillys wrote:

  On Tue, Mar 31, 2009 at 5:42 PM, Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx> wrote:

    But anyway, attached is an example CLF file using only the currently defined fields from draft-gurbani-sipping-clf-01, I think, encoded in a different format from the draft.

The problem is this isn't really any different to the plain text
format, except it includes an initial packet length header and thus
you can skip over the whole record easily.  You still need to parse
the contents of the pacp record to match any information such as a
specific via header or to tag.

Precisely. Using PCAP captures straight up makes pretty much all of the
problems that I'm trying to solve worse instead of better. You still
need to dredge through long records to find the fields that you're
filtering on, but now the records are entire SIP messages instead of
extracted data. Instead of taking the time to find records of interest
from o(m) to o(0.3m), you've INCREASED it to o(n), where n >> m.

I'll point out that my proposal incorporates the ability to include
entire SIP messages, if necessary (with the decision about whether to
include the message possible on a record-by-record basis), so you can
retain any debugging ability you have with PCAP -- but you get fast
indexing, and the ability to store meta-information that appears in
neither PCAP headers nor in the SIP message itself.

/a

_______________________________________________
Sipping mailing list  https://www.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@xxxxxxxxxxxxxxx for questions on current sip
Use sip@xxxxxxxx for new developments of core SIP