[ntar-workers] Generic Comments on NTAR format

Loris Degioanni loris.degioanni at gmail.com
Thu Jun 30 17:38:42 GMT 2005 

Jose M. Gonzalez wrote:
> Hi, 
> 
> Some generic comments on the NTAR format: 
>  
> - The first thing I'd change is the use of 0, 1, 2, etc. for all the codes,
>   including block type codes (Figure 1), SHB Option codes, Interface Option
>   codes, etc. Instead, I'd use a 32-bit number corresponding to 4 ascii
>   characters that remind of the block/option meaning. For example, we
>   could use the following block type codes: 0x53484220 (or "SHB ") for
>   Section Header Blocks; 0x49444220 (or "IDB ") for Interface Definition 
>   Blocks; etc. The benefit of this approach is that a parser that doesn't
>   know how to parse a block could at least provide 4 ascii characters
>   understable by humans ("DROP" is an easy one that comes to my mind).
>   The cost is zero. The benefit is non-zero. 
> 
> - You're repeating code 3 in Table 1. 
> 
> - I'd add a new column ("type") to all the Tables. This column would 
> 	explain what the contents of an option are (ascii string, 2 IPv4 
> 	address, one Ethernet address, etc.)
> 
> - In Table 2, when describing if_tsaccur, I'd add another example to 
> 	accuracy as a negative power of 10, namely "9 means nanosecond 
> 	accuracy."
> 
> - How is the dumper supposed to know the SHB length before knowing how 
> 	many packets he'll have to capture? If the captured data reaches a 
> 	value higher than what it was written in the SHB header, it needs 
> 	to close the SHB, create a new one, and repeat the full IDB spec. 
> 	This sounds like a bad idea. All dumpers will eventually use 0xffffffff 
> 	as the block length. 

...and, if they want, update the value with the correct size when they 
will close the file (or, better, the section). Alternativle, another 
application could do that in a second time after scanning the file.

Note, in particular, that ntar_close_section() will be able to handle 
this transparently: Gianluca has already implemented this feature, it's 
still not there because we need to understand the performance hit of the 
backward fseek.

Loris


> Regards. 
> -Chema
> 
> _______________________________________________
> ntar-workers mailing list
> ntar-workers at winpcap.org
> https://www.winpcap.org/mailman/listinfo/ntar-workers
>

More information about the ntar-workers mailing list