[ntar-workers] Use of the application-specific blocks in thepcap-ng file specification

Fulvio Risso fulvio.risso at polito.it
Mon May 15 21:29:12 GMT 2006


Gianluca Varenni wrote:
> 
> ----- Original Message ----- From: "Fulvio Risso" <fulvio.risso at polito.it>
> To: <ntar-workers at winpcap.org>
> Sent: Thursday, May 11, 2006 10:19 AM
> Subject: Re: [ntar-workers] Use of the application-specific blocks in 
> thepcap-ng file specification
> 
> 
>> Guy Harris wrote:
>>>
>>> On May 10, 2006, at 9:12 PM, Gianluca Varenni wrote:
>>>
>>>> We discussed a bit about possible solutions, and basically it seems 
>>>> that the best way to solve this issue is to
>>>> 1. deprecate the use of app-specific blocks (in the sense that 
>>>> applications should not create their own block type values, if they 
>>>> want to create a portable pcap-ng file)
>>>> 2. create some sort of unique repository of block type values. If an 
>>>> app needs to define a new block, it just needs to ask a new block 
>>>> code value to the repository. The LINKTYPE/DLT values for libpcap 
>>>> (and the future LINKTYPE values for pcap-ng) work in this same way.
>>>>
>>>> This approach seems to be the most straightforward, at the expense 
>>>> (of course) of maintaining a public and centralized repository for 
>>>> the block type codes.
>>>
>>> Note that if the developers of an app want to define a proprietary, 
>>> private block type, they could do so, even with a public repository 
>>> for the block type codes.  The repository merely needs to allow app 
>>> developers to request a block type code without specifying anything 
>>> other than, perhaps, their name, and that block type code would be 
>>> marked as "reserved for XXX".  The DNS-SD registry of service types:
>>>
>>>     http://www.dns-sd.org/ServiceTypes.html
>>>
>>> allows that, as does tcpdump.org's registry of DLT_ types (and the 
>>> latter registry has some private types of that sort registered 
>>> already).  The registry could even, I guess, allow the name of the 
>>> requester to be kept secret, if that's really necessary.
>>>
>>> This would make the app-specific block types similar to the DLT_USERn 
>>> types in the tcpdump.org registry - no guarantee can be made that a 
>>> file using an app-specific block type can be read safely and 
>>> correctly by any apps other than apps specifically written to 
>>> interpret that block type in the fashion in which it's used by the 
>>> file, just as no guarantee can be made that a libpcap file using a 
>>> DLT_USERn link-layer type can be read safely and correctly by any 
>>> apps other than apps specifically written (or configured) to 
>>> interpret that DLT_ value in the fashion in which it's used by the file.
>>>
>>> In other words, if you want to use app-specific block types 
>>> internally, with some internally-developed tool, and never provide to 
>>> anybody files using them if you don't know whether they'll try to 
>>> read them with their own internally-developed tools (and don't ever 
>>> expect tcpdump, Ethereal, etc. to interpret them in the right fashion 
>>> for your file), you can use them.  Otherwise, request a standard 
>>> block type.
>>
>> This was exactly my intention when we defined application-specific 
>> blocks.
>> Probably this kind of blocks might be renamed in "private blocks" or 
>> something like that. They should be used when someone needs to define 
>> a new block that will never go public, hence it needs an (hopefully) 
>> unique code for identifying the new block. If your application goes 
>> public and it needs to define a block for its purposes, it should ask 
>> for a new "public" block code.
> 
> I think that renaming the app-specific blocks to private blocks makes 
> sense. Moreover, I would add a big note clearly stating that choosing a 
> private block (instead of requesting a public block type code) can be 
> potentially dangerous, and it should be done *only* if you are 100% sure 
> that those blocks should never be read by another pcap-ng aware 
> application (i.e. if you use a private block, you might easily incur 
> into interoperability issues, be warned).

I completely agree on the additional statement you're proposing.
Cheers,

	fulvio

> 
> Have a nice day
> GV
> 
> 
> 
> 
>>
>> By the way, this is how local MAC addresses work.
>>
>> Cheers,
>>
>> fulvio
>>
>>
>>
>>
>> _______________________________________________
>> ntar-workers mailing list
>> ntar-workers at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/ntar-workers 
> 
> _______________________________________________
> ntar-workers mailing list
> ntar-workers at winpcap.org
> https://www.winpcap.org/mailman/listinfo/ntar-workers
> 



More information about the ntar-workers mailing list