in reply to dumping hashes to pcap files

in particular I am opening a voip pcap file. And then aim is to dump all SIP, SDP and RTP packets that are from the same call into one file

This is a question rather than an answer... Out of curiosity, what are you trying to do that some freeware app like WireShark cannot do? From what I understand, you can open a pcap file and WireShark can actually play the audio of one of the calls. Just curious. Maybe controlling what Wireshark can already do might be a ticket?

Replies are listed 'Best First'.
Re^2: dumping hashes to pcap files
by bigmoose (Acolyte) on Dec 19, 2011 at 14:27 UTC

    No problem!

    I want to have the option of being able to choose databases to store data in, or even perhaps prepare for a situation where I have to scale out to multiple servers. all distant goals, but at the end of the day using the pcap library (which is also what wireshark uses itself) directly gives you a bit more flexibility!

    it's worth noting, that the library was built to be used by C. I'm using it via perl, which is where some limitation are becoming apparent, i think..

[reply]
      Oh, I see. Thanks for the explanation.

      I guess I'm going to be quite naive here, but it sounds like you have what I would call a "traffic cop" application. You open a pcap file and read a packet, then decide where it should go, direct that traffic there. Get next packet, etc.

      I'm not quite understanding why there is a need to store any significant amount of data at all - I mean why it's not possible to just decide on-the-fly where the packet should go rather than having to save them for processing later?

      Sounds like these SIP packets determine when a call starts and when a call ends and that you can assign some kind of callid to that unique call. Further that the "inbetween packets" can also be easily id'ed as belonging to a particular call.

      I don't know how many calls are in one pcap file. But it could be that you can just have filehandles open to all of them - Depends upon OS filehandle limits. Open a new file when you see a new call starting.

      You could use a hash to map call-ids to file handles. Something like this: 

      #!/usr/bin/perl -w
use strict;

my %filehandles;

foreach ('call1','call2')
{
   open my $fh, '>>', $_ or die "can't open $_ for append $!";
   $filehandles{$_}=$fh;
}

# use call_id in the print to select the right filehandle to
# write to

my $call_id = "call1";
print {$filehandles{$call_id}} "to file1\n";
$call_id = "call2";
print {$filehandles{$call_id}} "to file2\n";

      [download]
      Just trying to be helpful.
[reply]
[d/l]

        Sounds like these SIP packets determine when a call starts and when a call ends and that you can assign some kind of callid to that unique call.

        I've seen a lot of stupid protocols, but I would be surprised if SIP, Session Initiation Protocol , didn't provide this callid, since this seems to be the entire purpose behind SIP

[reply]

        thanks buddy. did try that out. didn't quite work.. think it's a net::pcap limitation. i'll save that in my bag of tricks though? :)

[reply]

In Section Seekers of Perl Wisdom