<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10.02.2014 07:12, Loris Degioanni
wrote:<br>
</div>
<blockquote
cite="mid:CAN7wusqAskaVDV9bDfp1OMUJ_5ykU2uiQ_e_hMEzxPbjrw89xA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Feb 7, 2014 at 2:14 PM,
Jasper Bongertz <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jasper@packet-foo.com" target="_blank">jasper@packet-foo.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<span style="font-family:'Courier New';font-size:9pt">Hello
Loris,<br>
<br>
can you check if the INTERFACE LIST BLOCK can be
replaced with the existing "Interface Description
Block", or maybe extented by adding options to it? You
can find the one I am talking about at section 3.2 at
</span><a moz-do-not-send="true"
href="http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html"
target="_blank">http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html</a>
<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div><span style="font-family:'Courier New';font-size:12px">The
purpose of the INTERFACE LIST BLOCK is storing the list
of network interfaces (and their addresses) of the
machine where the capture has been done. The information
is somewhat similar to the one included in the interface
description block, but the semantic is quite different.
I could encode the </span><span
style="font-family:'Courier New';font-size:12px">INTERFACE
LIST BLOCK</span><span style="font-family:'Courier
New';font-size:12px"> information in a sequence of
interface description blocks, but then we would need a
way a way to specify which interface description block
is the one used for capture. </span></div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Isn't that the way it is done at the moment? If I capture on
multiple interfaces in Wireshark I'll get a pcap-ng file with
multiple Interface Description Blocks, starting with an index of 0
and incremented by 1 for each block (the index is not included in
the IDB, but the rule is that the first block has the index 0, the
second is index 1 and so on). Each packet then has an index value in
the packet block header, indicating the IDB of the interface it was
captured on. So even if you want to write interfaces into the trace
that aren't used for capture you could add e.g. ten interface
blocks, even if only two are referenced by packets.<br>
<br>
<blockquote
cite="mid:CAN7wusqAskaVDV9bDfp1OMUJ_5ykU2uiQ_e_hMEzxPbjrw89xA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<br>
<span style="font-family:'Courier New';font-size:9pt">The
same goes for the PROCESS LIST BLOCK - can you check
if the specifications of the block called "Process
Event Block" in use by the Hone Project fits your
needs? See section 3.1 at </span><a
moz-do-not-send="true"
href="https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt"
target="_blank">https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt</a>
<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>The two blocks are actually very different. The <span
style="font-family:'Courier New';font-size:12px">PROCESS
LIST BLOCK</span> contains a list of machine processes,
similar the what ps would emit. I can definitely use a
different name if you think it's confusing. Do you have
suggestions?</div>
</div>
</div>
</div>
</blockquote>
<br>
Can your PROCESS LIST BLOCK be written as chain of hone's PROCESS
EVENT BLOCKs, or doesn't that make any sense? I'm not trying to make
things harder for you, I just want to keep the specifications as
duplicate-free as possible :-)<br>
<br>
<blockquote
cite="mid:CAN7wusqAskaVDV9bDfp1OMUJ_5ykU2uiQ_e_hMEzxPbjrw89xA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Loris</div>
<div> </div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<br>
<span style="font-family:'Courier New';font-size:9pt">I
want to avoid having very similar block types twice in
the specifications if possible, especially if the
names are easily confused as well. If you have to add
those two block types as completely new types could
you please find names for them that makes them
distinguishable from the existing ones?<br>
<br>
Thanks,<br>
Jasper
<div>
<div class="h5"><br>
<br>
Friday, February 7, 2014, 10:08:11 PM, you wrote:<br>
<br>
</div>
</div>
</span>
<div>
<div class="h5">
<table>
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style="font-family:'courier
new';font-size:9pt">I need 6 blocks, that
have to do with capturing system events in
a new open source tool that I'm about to
release. Here they are: <br>
<br>
MACHINE INFO BLOCK <br>
PROCESS LIST BLOCK <br>
FD LIST BLOCK <br>
EVENT BLOCK <br>
INTERFACE LIST BLOCK <br>
USER LIST BLOCK <br>
<br>
The exact block structures are still work
in progress, but I will release the code
that implements them. <br>
<br>
So if it's ok with you I will use block
numbers 0x201->0x206. <br>
<br>
Loris <br>
<br>
<br>
On Fri, Feb 7, 2014 at 12:19 PM, Jasper
Bongertz <</span><a
moz-do-not-send="true"
style="font-family:'courier
new';font-size:9pt"
href="mailto:jasper@packet-foo.com"
target="_blank">jasper@packet-foo.com</a><span
style="font-family:'courier
new';font-size:9pt">> wrote:<br>
Hello Loris,<br>
<br>
I don't think there is a real process for
that right now. A group of developers met
last year at Sharkfest at my request to
see how to proceed with the existing
design specifications. The idea at the
moment is to make an RFC out of it, but
that is still in progress. We also did not
yet define how to add new block types, but
we agreed that the existing specification
minus the experimental block types should
become the 1.0 specification. So anything
added on top of that will be in a later
official RFC (if we get it to be accepted
as an RFC, that is).<br>
<br>
What kind of blocks do you need? The hone
project added additional block types like
0x101 and 0x102 on their own, so maybe you
could go with something like x201, x202
etc. up for the time being? If that's okay
just let me know the block types and
structures so I can keep track of them. <br>
<br>
Cheers,<br>
Jasper<br>
<br>
<br>
Friday, February 7, 2014, 8:47:49 PM, you
wrote:<br>
<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style="font-family:'courier
new';font-size:9pt">I need to
reserve some pcap-ng block types
for a project I'm working on. Can
anyone remind me the process I
need to follow?</span></td>
</tr>
</tbody>
</table>
<br>
<br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
<br>
</div>
</div>
<span class=""><font color="#888888"><span
style="font-family:arial;color:rgb(192,192,192)"><i>--
</i></span></font></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>