[ntar-workers] Use of the application-specific blocks in thepcap-ng file specification

Guy Harris guy at alum.mit.edu
Mon May 15 18:46:48 GMT 2006


Gianluca Varenni wrote:

> I think that renaming the app-specific blocks to private blocks makes 
> sense. Moreover, I would add a big note clearly stating that choosing a 
> private block (instead of requesting a public block type code) can be 
> potentially dangerous, and it should be done *only* if you are 100% sure 
> that those blocks should never be read by another pcap-ng aware 
> application (i.e. if you use a private block, you might easily incur 
> into interoperability issues, be warned).

Or, at least, they should never be read by another pcap-ng aware 
application that you don't control and that's not a "public" application.

By "public" application I'm referring to apps such as tcpdump/WinDump, 
Ethereal, Analyzer, etc. - I wouldn't expect public releases of those 
applications to ever do anything with private blocks other than perhaps 
passing them through unchanged, although people might have private 
versions of those applications that would handle them - which, if it's 
from a group other than the one adding the private block in question, 
would be an application that they don't control.

E.g., if your group has two applications that both use a particular 
private block, it's probably safe to let the files be read by both the 
applications.  However, letting people in a group that might have their 
own applications using private blocks read those files that's not safe.


More information about the ntar-workers mailing list