Well, for first approximation, the UDP server is not much different from the TCP server = it's only simpler, since all of the information from each connection is in the first packet.
Netflow data, hmm? I've dealt with that, and the traffic can get pretty heavy. Your best bet is to make not exactly a multithread server, but a server thread that accepts each packet, and as quickly as possible puts it somewhere to be processed. (This could be through shared memory, pipes, databases or files - But SHM and pipes just removes the problem one layer deeper).
In a multithreaded server, that means one receiving thread, and possibly multiple processing threads. Or you could have a singlethreaded server which simply stores the info somewhere to be processed.
Where you store it depends on how many packets we're talking about, how much space you have to store them, and how much pre-processing you intend to do.
If you're getting a significant ammount of netflow (we get a lot even at 300:1 sampling) I would advise against storing it in a database directly - they are just not fast enough. You could use a system of rotating DB_File databases, or just dump to a file, and process it later.
HTH. | [reply] |
thanks for your reply.
I will try to write a server thread that accepts each packet, and as quickly as possible puts it somewhere to be processed. And I will dump the data to a file.
And do you use other language to process netflow data like c or c++ ? I am in doubt whether perl can process this heavy data perfectly.
thanks very much!
| [reply] |
| [reply] |
| [reply] |
I would turn to proven solutions instead of writing a multithreaded solution in Perl for network sniffing:
- Net::PCap and Net::PCapUtils are interfaces to libpcap, a capturing library. libpcap also does buffering, so you could be able to get away without losing data when writing.
- Use ethereal to capture the data and process the capture files afterwards through Perl. This has the advantage of using a tried and true network sniffer, relieving you of all the hassles.
| [reply] |
thanks so much for your reply!
And I have another question,I have write simple udp server to receive netflow data.But when I print this un-processed data to screen,I can't understand the result. So my question is how to decode this netflow data ?
| [reply] |