[ntar-workers] Use of the application-specific blocks in the pcap-ng file specification

Gianluca Varenni gianluca.varenni at cacetech.com
Thu May 11 04:12:52 GMT 2006


Hi all.

Looking at the definition of the "application specific blocks" (or better, 
sort of lack of definition) Guy, Loris and I found a problem with their use, 
and the specification is not clear at all.

Basically the specification says that application specific blocks have a 
block type with the most significant bit set to 1. An application A can 
therefore define its own block with type value X.

An application with no app-specific block types can just ignore them, but we 
are in trouble if app B chooses the same block type value X. How can app B 
distinguish between a block with value X created by app A from one created 
by itself?

We discussed a bit about possible solutions, and basically it seems that the 
best way to solve this issue is to
1. deprecate the use of app-specific blocks (in the sense that applications 
should not create their own block type values, if they want to create a 
portable pcap-ng file)
2. create some sort of unique repository of block type values. If an app 
needs to define a new block, it just needs to ask a new block code value to 
the repository. The LINKTYPE/DLT values for libpcap (and the future LINKTYPE 
values for pcap-ng) work in this same way.

This approach seems to be the most straightforward, at the expense (of 
course) of maintaining a public and centralized repository for the block 
type codes.

Any opinions/ideas on it?

Have a nice day
GV



More information about the ntar-workers mailing list