Tuesday, May 01, 2007

Which is easier? A pure ruby netflow parser or flow-tools bindings that don't suck?

So I pared down one of the examples in vflow (ruby bindings to flow-tools)


require 'Vflow'
require 'socket'

def dumpvflowrec(r)
puts "=============="
print "srcaddr #{IPSocket.getaddress(r.srcaddr)} -> "
puts "dstaddr #{IPSocket.getaddress(r.dstaddr)}"
puts "srcport #{r.srcport} dstport #{r.dstport}"
puts "prot #{r.prot} tos #{r.tos}"

x = Vflow.new()

count = 0
x.each() {|r|
count += 1
puts count

I guess I found the bug the author mentions on the website.

franz-g4:/tmp mdfranz$ ruby vftest.rb ft-v05.2007-04-30.064501-0500
srcaddr -> dstaddr


srcaddr -> dstaddr
srcport 58911 dstport 443
prot 6 tos 0
srcaddr -> dstaddr
srcport 53 dstport 57738
prot 17 tos 0

ruby(674) malloc: *** Deallocation of a pointer not malloced: 0x320110;
This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

Of course not like I could do any better, I know better than to touch anything in C.

What are the odds the Python flowtools will be more robust.

Pretty good, I reckon.

1 comment:

Stingray said...

"mainline" Python flowtools aren't more robust, really. For fedora I maintain heavily patched version which is, indeed, more robust.