netraf
A Network Analyzer and Traffic Logger.


netrafd Issues


Things that could be done.

   As I mentioned earlier, linux offers so many possibilities that even after another few months of work there would still be many things that could be added to netrafd. For now netrafd (on most writer types) recognizes only ethernet packets, and only ip version 4 protocol.
I think, that 0.1beta status is very adequate, and clearly shows the relation between things already implemented and things I would like to implement.
In most cases I completed the primary goals that were set at the begining. From things that could be added to this version, and because of lack of time will appear in next release are:
  • simple connection tracking - by now, netrafd uses very simple method to recognize connections, based on two pairs of ip and port, and packet flags, to guess the connection state. This method merely allows us to tell whether the connection is established or has it already ended, but we can't associate any additional info about that connection.

  • advanced filters - by now, filters allow to filter by specific values from packet headers, like particular ip, mac address or interface and I think it would be useful if one could define a value range (like ip range from 172.12.0.0 to 172.12.100.1, or port range) or define a wild card (like ip addresses 192.168.0.*)

  • more writer types - maybe later we could add more writer types, for more specific uses, like ones that allow to write data stream from packets to file (combined with connection tracking this could open many interesting possibilities).


Things that have changed in specification during implementation.

   The main difference is the pcap library, we intended to use it to capture the packets for further processing, but I've encountered problems with using it in multithreaded application, and later on with interface 'any' - I couldn't find a way to retrieve the source MAC address from packets that came from that "virtual" interface, I didn't even try to figure out how to check from which physical interface they came.
That was the main reason I wrote my own simple packet capturing library, that perfectly fits my needs, it may be lacking many of the pcap functionality, but can be easily extended.


Things I intend to fix.

   For now, while closing, netrafd occasionally hangs for about 4 seconds before exiting, it is because netrafd has to stop all writers, and if any conn_stat type writer is running with periodical statistics cleanup enabled, netrafd has to wait for that "garbage collector" to wake up and terminate, before he can shut down the main process.

M.K.

back to "Issues" section


Copyright © 2005, M.K., T.J., M.S.
netraf is Open Source software, distributed under the terms of the New BSD License.
waldson.com activity involved