You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "Ted Dunning (JIRA)" <ji...@apache.org> on 2017/04/12 18:25:41 UTC

[jira] [Created] (DRILL-5432) Want a memory format for PCAP files

Ted Dunning created DRILL-5432:
----------------------------------

             Summary: Want a memory format for PCAP files
                 Key: DRILL-5432
                 URL: https://issues.apache.org/jira/browse/DRILL-5432
             Project: Apache Drill
          Issue Type: New Feature
            Reporter: Ted Dunning


PCAP files [1] are the de facto standard for storing network capture data. In security and protocol applications, it is very common to want to extract particular packets from a capture for further analysis.

At a first level, it is desirable to query and filter by source and destination IP and port or by protocol. Beyond that, however, it would be very useful to be able to group packets by TCP session and eventually to look at packet contents. For now, however, the most critical requirement is that we should be able to scan captures at very high speed.

I previously wrote a (kind of working) proof of concept for a PCAP decoder that did lazy deserialization and could traverse hundreds of MB of PCAP data per second per core. This compares to roughly 2-3 MB/s for widely available Apache-compatible open source PCAP decoders.

This JIRA covers the integration and extension of that proof of concept as a Drill file format.

Initial work is available at https://github.com/mapr-demos/pcap-query


[1] https://en.wikipedia.org/wiki/Pcap



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Re: [jira] [Created] (DRILL-5432) Want a memory format for PCAP files

Posted by François Méthot <fm...@gmail.com>.
Hi Ted,

  We did a proof of concept with reading pcap from drill. Our approach was
to avoid writing yet another pcap decoder so we tried to adapt Drill to use
an existing one. We took Tshark as an example. It already comes with 1000s
of dissectors.

We approached the problem from a different angle: How to drive and read the
output of an external application from a SQL query within Drill.

Our experiment started with the Text Input Storage plugin from Drill, we
modified slightly to be a .pcap plugin.

When a Drill query is run on a pcap file,  the plugin RecordReader setup
function launches the TShark external app for each file that drill needs to
scan.
The column specified in the select statement are passed as an input
parameter to the external application.

In RecordReader next() method, it reads each record streamed back by
TShark. The stream output of the process is parsed by a slightly modified
TextInput. Once the data is streamed in the drill space, user can leverage
on the SQL Language to do all kind of data aggregation.

For this technique to work, the external application needs to support
Streaming in and out data.

To run on HDFS with a native application that has not been build for HDFS,
the storage plugin launches: "hdfs cat test.pcap | tshark ...."

For this to work, TShark needs to be deployed everywhere a drill bit is
running.

I don't have any metrics on performance, this was a proof of concept, but
it works. It will probably not beat the performance of the solution you are
aiming, but it leverages on years of development of an existing tool.


Francois















On Wed, Apr 12, 2017 at 2:25 PM, Ted Dunning (JIRA) <ji...@apache.org> wrote:

> Ted Dunning created DRILL-5432:
> ----------------------------------
>
>              Summary: Want a memory format for PCAP files
>                  Key: DRILL-5432
>                  URL: https://issues.apache.org/jira/browse/DRILL-5432
>              Project: Apache Drill
>           Issue Type: New Feature
>             Reporter: Ted Dunning
>
>
> PCAP files [1] are the de facto standard for storing network capture data.
> In security and protocol applications, it is very common to want to extract
> particular packets from a capture for further analysis.
>
> At a first level, it is desirable to query and filter by source and
> destination IP and port or by protocol. Beyond that, however, it would be
> very useful to be able to group packets by TCP session and eventually to
> look at packet contents. For now, however, the most critical requirement is
> that we should be able to scan captures at very high speed.
>
> I previously wrote a (kind of working) proof of concept for a PCAP decoder
> that did lazy deserialization and could traverse hundreds of MB of PCAP
> data per second per core. This compares to roughly 2-3 MB/s for widely
> available Apache-compatible open source PCAP decoders.
>
> This JIRA covers the integration and extension of that proof of concept as
> a Drill file format.
>
> Initial work is available at https://github.com/mapr-demos/pcap-query
>
>
> [1] https://en.wikipedia.org/wiki/Pcap
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.15#6346)
>