Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » Articles » Live capture vs PCAP files
Trace:
articles:livevspcap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revisionBoth sides next revision
articles:livevspcap [2017/11/15 18:35] – created veeraarticles:livevspcap [2017/11/15 18:53] – [Issue 1 : The Clock] veera
Line 14: Line 14:
 In Live traffic capture, the wall time is the clock. During low traffic periods your CPU and Memory usage goes down, but the rate of time is fixed.  In Live traffic capture, the wall time is the clock. During low traffic periods your CPU and Memory usage goes down, but the rate of time is fixed. 
  
-When you read PCAPs, most tools are clocked on the timestamp present in the PCAP file, not on the wall clock.  So it comes down to this rule.+When you read PCAPs, most tools are clocked on the timestamp present in each packet inside the PCAP file, not on the wall clock.  A given process-A that generates info-A can rip through the PCAP file at 100Mbps, another process-B generating info-B may only be able to process at 5Mbps If both of these information streams hit a single backend, then we may have these problems.  
 +  - If Event-B and Event-A that occurred at the same time in real world, arrive at the backend 40 minutes apart. Can they be stored and indexed correctly ?  
 +  - If Event-B generates some new enrichment data about Event-A and they arrive 40 minutes late at the backend. What happens to the enrichment?  
  
-  * A single  
articles/livevspcap.txt · Last modified: 2017/11/15 23:27 by veera