From Paul.Long at microsoft.com Mon Apr 1 06:30:42 2013 From: Paul.Long at microsoft.com (Paul Long) Date: Mon, 1 Apr 2013 13:30:42 +0000 Subject: [pcap-ng-format] Does PCAPNG have just one version number? Message-ID: <86775CAA821EAE499D7CBFCC8E62DC12348ED3@DF-M14-22.exchange.corp.microsoft.com> We want to display an appropriate version for PCAPNG files. For instance for Netmon .cap, we have various version we could show. My take is that you can have multiple PCAPNG version headers, so I'm assuming there is no ONE version to display. Is it appropriate to show "pcapng" as the version? Paul Long (Program Manager, Protocol Engineering Framework) W: 980-776-7322 C: 704-996-4212 Network Monitor | Message Analyzer (PEF) -------------- next part -------------- An HTML attachment was scrubbed... URL: From guy at alum.mit.edu Mon Apr 1 10:28:59 2013 From: guy at alum.mit.edu (Guy Harris) Date: Mon, 1 Apr 2013 10:28:59 -0700 Subject: [pcap-ng-format] Does PCAPNG have just one version number? In-Reply-To: <86775CAA821EAE499D7CBFCC8E62DC12348ED3@DF-M14-22.exchange.corp.microsoft.com> References: <86775CAA821EAE499D7CBFCC8E62DC12348ED3@DF-M14-22.exchange.corp.microsoft.com> Message-ID: <401381E2-7815-4C7C-95DC-61094A2E8D53@alum.mit.edu> On Apr 1, 2013, at 6:30 AM, Paul Long wrote: > We want to display an appropriate version for PCAPNG files. For instance for Netmon .cap, we have various version we could show. My take is that you can have multiple PCAPNG version headers, so I?m assuming there is no ONE version to display. A pcap-ng file can be composed of multiple sections (the intent here is to allow files to be concatenated by a tool such as UN*X's cat command), each with its own Section Header Block, so, in theory, there could be multiple versions. If you haven't read the entire file, showing the version from the first section, and noting that it's just the first section, might be appropriate. If you have read the entire file, showing a list of versions might be the right thing to do. From erik.hjelmvik at gmail.com Mon Apr 1 13:43:25 2013 From: erik.hjelmvik at gmail.com (Erik Hjelmvik) Date: Mon, 1 Apr 2013 22:43:25 +0200 Subject: [pcap-ng-format] Does PCAPNG have just one version number? In-Reply-To: <401381E2-7815-4C7C-95DC-61094A2E8D53@alum.mit.edu> References: <86775CAA821EAE499D7CBFCC8E62DC12348ED3@DF-M14-22.exchange.corp.microsoft.com> <401381E2-7815-4C7C-95DC-61094A2E8D53@alum.mit.edu> Message-ID: 2013/4/1 Guy Harris > > On Apr 1, 2013, at 6:30 AM, Paul Long wrote: > > > We want to display an appropriate version for PCAPNG files. For > instance for Netmon .cap, we have various version we could show. My take > is that you can have multiple PCAPNG version headers, so I?m assuming there > is no ONE version to display. > > A pcap-ng file can be composed of multiple sections (the intent here is to > allow files to be concatenated by a tool such as UN*X's cat command), each > with its own Section Header Block, so, in theory, there could be multiple > versions. > > If you haven't read the entire file, showing the version from the first > section, and noting that it's just the first section, might be appropriate. > If you have read the entire file, showing a list of versions might be the > right thing to do. > My guess is that 99.9% of all PCAPNG files will have just one SHB or multiple SHB's with the same version number. So displaying just the [MAJOR].[MINOR] version number of the first SHB should be adequate. -- likes: http://pcapng.com blog: http://www.netresec.com/?page=Blog twitter: http://twitter.com/netresec -------------- next part -------------- An HTML attachment was scrubbed... URL: