[ntar-workers] Simple packet block

[Gianluca Varenni]

----- Original Message ----- 
From: "Guy Harris" <guy at alum.mit.edu>
To: <ntar-workers at winpcap.org>
Sent: Thursday, June 30, 2005 5:20 PM
Subject: Re: [ntar-workers] Simple packet block


>
> On Jun 30, 2005, at 2:49 PM, Stephen Donnelly wrote:
>
>> I think having a SPB may be useful in some environments. When  capturing 
>> at high packet rates having unused option fields present  is expensive in 
>> bandwidth and space.
>
> 4 bytes of 0's per packet is all that the option field adds if there 
> aren't any options.  Is that overhead sufficient to make an SPB that 
> *only* lacks an option field useful?  For a simple capture on only  one 
> interface, the interface ID is unnecessary; if the drops count is  also 
> unnecessary, that eliminates 4 more bytes.  If that capture is  done 
> without a snapshot length, you can also get rid of the Captured  Len 
> field.
>
>> Having the SPB not support the addition of optional fields also 
>> simplifies parsing and should save time when reading the file.
>
> All blocks begin with a type and length field, so the options don't  have 
> to be parsed when reading the file - you can just skip over the  remaining 
> bytes.  If the application *does* care about the options,  the option 
> parsing code needs to be there anyway, so the only benefit  might be not 
> running that code on an SPB - but checking for the 4  bytes of 0 might not 
> add enough overhead to make a difference.


Uhm, maybe I didn't understand your reasoning...

...when I implemented ntar, I used the "end of option" option (i.e. 4 
0-bytes) only when "real" options do exist. If a block does not have 
options, nothing is written after the data (i.e. no 4 0-bytes). I'm almost 
sure this is how some network protocols do with their options, but I don't 
remember which one(s).

Have a nice day
GV

>
> _______________________________________________
> ntar-workers mailing list
> ntar-workers at winpcap.org
> https://www.winpcap.org/mailman/listinfo/ntar-workers