Skip to content

Sense_File

Jump to bottom Edit New page
Bjorn Stahl edited this page Jul 23, 2015 · 6 revisions

File Sensor

This is one of the more basic sensors available. The following screenshot shows it in action:

file_screenshot

The control window is a static preview window, generated when the sensor is started. It is updated with an estimate of the current data window position, and can be clicked for quick course-grained search. The initial dimensions can be changed at the command-line, as can wrapping behaviour (pad with 0 or repeat from beginning).

The data window supports searching back and forth in small (LEFT/RIGHT) or large (META+LEFT/RIGHT) steps. The size of a small step can be changed dynamically (default map to key 1/2 for small and 3/4 for large). You can also force- align to a 512-byte boundary (default map to a).

Enhance Preview

To account for resolution issues with the preview window hiding important detail, there is an additional way to provide hints about interesting regions at the cost of longer preview generation times. By specifying a sampling hint and cutoff level, each preview row will have a histogram generated and compared against the histogram of the previous row. If the differences exceeds a specified cutoff threshold, the row will be colored accordingly.

file_previewres

This feature is activated when launching the sensor:

    ./sense_file -p0.5 -d ../tests/test.bin

The p argument enables the feature and sets the cutoff (range 0..1) and the d argument specifies that all bytes in that row should be used for the histogram (costly but more accurate).

Recommendations

  • Use ECFS for good snapshotting of live processes for offline analysis

Caveats

  • Small preview window sizes hide a lot of detail, there is a lack of more advanced sampling functions that would retain more detail.

  • Performs rather poorly when we start creeping up into multi-Gb data levels.

Planned Changes

  • Using a map with metadata of read(), write() and seek() calls to replay the access timeline to simulate the I/O behavior some specific application had.

  • Multiple view windows of the same file.

  • Allow a secondary overlay file to be specified (one that is of the same size as the one being studied), that is used to highlight changes both in preview and in alpha-channel for meta-data.

Add a custom footer
Add a custom sidebar
Clone this wiki locally