[ntar-workers] Use of the application-specific blocks in the
pcap-ng file specification
Gianluca Varenni
gianluca.varenni at cacetech.com
Thu May 11 04:12:52 GMT 2006
Hi all.
Looking at the definition of the "application specific blocks" (or better,
sort of lack of definition) Guy, Loris and I found a problem with their use,
and the specification is not clear at all.
Basically the specification says that application specific blocks have a
block type with the most significant bit set to 1. An application A can
therefore define its own block with type value X.
An application with no app-specific block types can just ignore them, but we
are in trouble if app B chooses the same block type value X. How can app B
distinguish between a block with value X created by app A from one created
by itself?
We discussed a bit about possible solutions, and basically it seems that the
best way to solve this issue is to
1. deprecate the use of app-specific blocks (in the sense that applications
should not create their own block type values, if they want to create a
portable pcap-ng file)
2. create some sort of unique repository of block type values. If an app
needs to define a new block, it just needs to ask a new block code value to
the repository. The LINKTYPE/DLT values for libpcap (and the future LINKTYPE
values for pcap-ng) work in this same way.
This approach seems to be the most straightforward, at the expense (of
course) of maintaining a public and centralized repository for the block
type codes.
Any opinions/ideas on it?
Have a nice day
GV
More information about the ntar-workers
mailing list