Menu

#7 Metadesc

svn
open
nobody
Core (9)
6
2006-10-13
2006-10-13
Marco Canini
No

We still don't have a way to determine wich metadesc of
the module has matched with the sniffer's metadesc.
It would be nice to have a specification for that.
Here're my thoughts on how this could be done:
1 the su_init() is called and registers the metadesc
2 CA starts the sniffers and the output metadescs get
defined
3 SU sends the module to CA
4 CA matches the module's metadescs and sniffers'
metadescs, saves the results
5 SU tells CA to start as all the modules are loaded
6 CA determines for each sniffer which metadesc it
should use (for example by maximizing a gain function
such as weighted sum of the running modules where the
weight is a priority specified in the config file) and
calls the sniffer with that metadesc. at that point the
sniffer will register its sniffer_next callback.
7 CA calls each module that can run and the module
register its update callback
8 everything runs

NOTE: there's a situation still unclear. if multiple
sniffer are running and their selected metadescs are
conflicting but each of the matches with a module's
metadesc, what shall then happen?
i don't think the above is clear. lemme make an example:
we have sniffer pcap and sniffer flowtools and the
counter module.
the counter module could support 2 metadescs: one with
a single tpl "none:none:none:none" and the other with
the same tpl but with packet_count and sampling_rate
pktmetas.
sniffer pcap has a metadesc like "none:eth:any:any"
sniffer flowtools has "nf:none:~ip:(none|~udp|~tcp)"
and pktmetas packet_count and sampling_rate.
the core would allow the module to run but would chose
the first module's metadesc for pcap and the second for
flowtools.
a possible solution is that we have a mapping between
the sniffer and the update callback.
when we ask the module which update() to use for the
pcap's metadesc it will register a update() that
doesn't use the pktmetas while when we ask which
update() to use for flowtools it will register a
different callback that uses the two pktmetas.
sounds complex but it isn't and allows a lot of
flexibility and cleaner code.

comments?

Discussion

Log in to post a comment.