* Did you test how many open files you can have simultaneously? Maybe it is enough for you to just dump to the files directly, maybe it can be extended until it is enough. If you store everything in a hash you have to think about the memory limit. Do all the PCAP files fit into memory? If not, maybe you have to write to file inbetween whenever memory is nearly full.

- With regards to simultaneous opens.. not really! In theory, the script will only ever have one pcap open to split at one time. It will also not open another pcap until it has finished splitting the pcap up. With regards to memory and storing everything in a hash, this had occured. But having tested with pcaps as big as 400MBs it's not proved to much of a concern with a 4GB ram server! Good idea to prepare something, just in case though. :)

* I don't get why you would use random keys for the hash. If you use random keys you might as well use a simple array where the array index is the not-that-random "key". I'm talking about %sip, that should be @sip instead (or removed completely, see below)

this is a good point. I decided to use a hash, because in the event of having several voip calls in one pcap i felt it would be easier to manage as several keys within 1 hash as opposed to potentially 100s of seperate arrays! furthermore, in the event I manage to work out how to dump packets from hashes it will be easier to 'dump where key = 'callid' then it will to be 'dump where array is like'.

What you do in your final step (when there is already a key $callid in main_has) is not working. Whenever you do "$main_hash{$callid} = {increase() => $value}", you are overwriting aka initializing the previous hash there with a new hash, not adding a value! The right form would be "$main_hash{$callid}{increase()}= $value"

doh. this is correct. i copied the wrong code in. rest assured the rest of it is correct! thanks for taking the time to point that out, though :)

* I don't see any reason why you do that inserting into $main_hash in two steps? Why not add to the main_hash in process_sip itself instead of using the extraneous %sip hash

I should have explained further! in a voip call the constituents that will make a call are the RTP SIP and (sip)/SDP data. If I were to dump only to a %sip %sdp and %rtp hash, then when I eventually dump, it will be trickier to go to each hash, retrieve relevant keys and then dump than it would be to go to one hash and ask for one keys worth of data.

thanks for looking at my code. you've raised some good points concerning hashes and memory.. didn't really think of that side! would be easier if I could just append to pcaps than go through all this :)

In reply to Re^2: dumping hashes to pcap files by bigmoose
in thread dumping hashes to pcap files by bigmoose

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.