[ntar-workers] Generic Comments on NTAR format
Jose M. Gonzalez
chema at cs.berkeley.edu
Thu Jun 30 07:50:23 GMT 2005
Some generic comments on the NTAR format:
- The first thing I'd change is the use of 0, 1, 2, etc. for all the codes,
including block type codes (Figure 1), SHB Option codes, Interface Option
codes, etc. Instead, I'd use a 32-bit number corresponding to 4 ascii
characters that remind of the block/option meaning. For example, we
could use the following block type codes: 0x53484220 (or "SHB ") for
Section Header Blocks; 0x49444220 (or "IDB ") for Interface Definition
Blocks; etc. The benefit of this approach is that a parser that doesn't
know how to parse a block could at least provide 4 ascii characters
understable by humans ("DROP" is an easy one that comes to my mind).
The cost is zero. The benefit is non-zero.
- You're repeating code 3 in Table 1.
- I'd add a new column ("type") to all the Tables. This column would
explain what the contents of an option are (ascii string, 2 IPv4
address, one Ethernet address, etc.)
- In Table 2, when describing if_tsaccur, I'd add another example to
accuracy as a negative power of 10, namely "9 means nanosecond
- How is the dumper supposed to know the SHB length before knowing how
many packets he'll have to capture? If the captured data reaches a
value higher than what it was written in the SHB header, it needs
to close the SHB, create a new one, and repeat the full IDB spec.
This sounds like a bad idea. All dumpers will eventually use 0xffffffff
as the block length.
More information about the ntar-workers