Tuesday, May 01, 2007

Which is easier? A pure ruby netflow parser or flow-tools bindings that don't suck?

So I pared down one of the examples in vflow (ruby bindings to flow-tools)

#!/usr/bin/ruby

require 'Vflow'
require 'socket'

TESTFILE=ARGV[0]
def dumpvflowrec(r)
puts "=============="
print "srcaddr #{IPSocket.getaddress(r.srcaddr)} -> "
puts "dstaddr #{IPSocket.getaddress(r.dstaddr)}"
puts "srcport #{r.srcport} dstport #{r.dstport}"
puts "prot #{r.prot} tos #{r.tos}"
end

x = Vflow.new()
x.open(TESTFILE)

count = 0
x.each() {|r|
dumpvflowrec(r)
count += 1
puts count
}

I guess I found the bug the author mentions on the website.


franz-g4:/tmp mdfranz$ ruby vftest.rb ft-v05.2007-04-30.064501-0500
==============
srcaddr 202.97.238.199 -> dstaddr 24.136.7.235


SNIP


==============
srcaddr 24.136.7.235 -> dstaddr 64.233.163.19
srcport 58911 dstport 443
prot 6 tos 0
197
==============
srcaddr 207.172.3.8 -> dstaddr 24.136.7.235
srcport 53 dstport 57738
prot 17 tos 0
198


ruby(674) malloc: *** Deallocation of a pointer not malloced: 0x320110;
This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

Of course not like I could do any better, I know better than to touch anything in C.

What are the odds the Python flowtools will be more robust.

Pretty good, I reckon.

1 comment:

Stingray said...

"mainline" Python flowtools aren't more robust, really. For fedora I maintain heavily patched version which is, indeed, more robust.