On 06/23/2010 02:49 PM, Justin Randall wrote:
With an understanding of Wireshark and/or PCAP file structure and a little Perl magic you can whip up a simple script in less than 100 lines which will pull the exact information you?re looking for from existing PCAP files.
However, not live traffic.
As for real-time capturing, I can?t speak with any familiarity for Alex?s product however I can say that scalability of any solutions for real-time capturing/analysis without any type of ASICs or custom hardware have limited scalability, especially if you?re capturing all signalling and media for all call legs for several thousands of simultaneous calls at once in a multi-protocol VoIP environment.
Depends on how the capture program is designed. I can tell you for a fact that several thousands of calls at once is not a problem if the process is properly parallelised and lookups are done using efficient data structures (which, of course, has a memory trade-off). Backlog is addressed by proper parallelisation and queueing. This is the insight that makes pcapsipdump such a bad choice; it is single-process, and linear list scans for everything, even the port/IP pairs associated with media packets. It defies CompSci 101. But yes, there is a limit to what can be accomplished with userspace processes on general purpose operating systems using commodity NICs, without the benefit of additional offboard processing and dedicated hardware. You're not going to pull and analyse a gigabit of VoIP traffic at wire speed or anything like that. There will be I/O limits as well if those captures are being written to disk in real-time. If you need to analyse *that* kind of load and can't partition it out, you are probably in need of a very expensive enterprise product designed for just this. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/