[ntar-workers] Generic Comments on NTAR format

[Jose M. Gonzalez]

Hi, 

Some generic comments on the NTAR format: 
 
- The first thing I'd change is the use of 0, 1, 2, etc. for all the codes,
  including block type codes (Figure 1), SHB Option codes, Interface Option
  codes, etc. Instead, I'd use a 32-bit number corresponding to 4 ascii
  characters that remind of the block/option meaning. For example, we
  could use the following block type codes: 0x53484220 (or "SHB ") for
  Section Header Blocks; 0x49444220 (or "IDB ") for Interface Definition 
  Blocks; etc. The benefit of this approach is that a parser that doesn't
  know how to parse a block could at least provide 4 ascii characters
  understable by humans ("DROP" is an easy one that comes to my mind).
  The cost is zero. The benefit is non-zero. 

- You're repeating code 3 in Table 1. 

- I'd add a new column ("type") to all the Tables. This column would 
	explain what the contents of an option are (ascii string, 2 IPv4 
	address, one Ethernet address, etc.)

- In Table 2, when describing if_tsaccur, I'd add another example to 
	accuracy as a negative power of 10, namely "9 means nanosecond 
	accuracy."

- How is the dumper supposed to know the SHB length before knowing how 
	many packets he'll have to capture? If the captured data reaches a 
	value higher than what it was written in the SHB header, it needs 
	to close the SHB, create a new one, and repeat the full IDB spec. 
	This sounds like a bad idea. All dumpers will eventually use 0xffffffff 
	as the block length. 

Regards. 
-Chema