[VoiceOps] Splitting SIP+RTP PCAP files
Alex Balashov
abalashov at evaristesys.com
Wed Jun 23 16:03:01 EDT 2010
On 06/23/2010 02:49 PM, Justin Randall wrote:
> With an understanding of Wireshark and/or PCAP file structure and a
> little Perl magic you can whip up a simple script in less than 100 lines
> which will pull the exact information you’re looking for from existing
> PCAP files.
However, not live traffic.
> As for real-time capturing, I can’t speak with any familiarity for
> Alex’s product however I can say that scalability of any solutions for
> real-time capturing/analysis without any type of ASICs or custom
> hardware have limited scalability, especially if you’re capturing all
> signalling and media for all call legs for several thousands of
> simultaneous calls at once in a multi-protocol VoIP environment.
Depends on how the capture program is designed. I can tell you for a
fact that several thousands of calls at once is not a problem if the
process is properly parallelised and lookups are done using efficient
data structures (which, of course, has a memory trade-off). Backlog
is addressed by proper parallelisation and queueing. This is the
insight that makes pcapsipdump such a bad choice; it is
single-process, and linear list scans for everything, even the port/IP
pairs associated with media packets. It defies CompSci 101.
But yes, there is a limit to what can be accomplished with userspace
processes on general purpose operating systems using commodity NICs,
without the benefit of additional offboard processing and dedicated
hardware. You're not going to pull and analyse a gigabit of VoIP
traffic at wire speed or anything like that. There will be I/O limits
as well if those captures are being written to disk in real-time. If
you need to analyse *that* kind of load and can't partition it out,
you are probably in need of a very expensive enterprise product
designed for just this.
--
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the VoiceOps
mailing list