[ntar-workers] Major rework / review of pcapng file format in CVS - please review

[Ulf Lamping]

Hi List!

I've just committed into ntar CVS  lot's of changes to the PCAPng 
Specification document. I didn't add any new elements, but tried to 
clarify, remove inconsistencies, ...

Some of the changes were discussed with Gianluca before, some of them 
I've just tried to get a better document - but this very certainly needs 
further work on.


What I've changed ...

Lot's of editing:
change: put block types back into one section (looked ugly) - but keep 
the seperation of them
add: section "Logical Block Hierarchy" - an attempt to visualize the 
dependencies of the blocks (I'm still not 100% satisfied)
change: some more file format examples
add: give example content to the Option fields throughout the doc (lot's 
of TODO here, especially for IPv6)
change: ASCII art: now includes the block header, byte offsets, ...
change: obsolete "Packet Block" moved further below other packet blocks 
(it confuses to mention the obsolete block first)
add: "recommended file name extension .pcapng" section (to avoid the 
situation that we have for libpcap files today)
add: possible block type 0x0A0D0A00-0x0A0D0AFF (caused by buggy ASCII 
translation of MSIE I've already seen "in the wild")
add: link layer header appendix (almost empty, needs further work)
change: add some more TODO and change my previous XXX markers also to TODO

Incompatible changes in "Interface Statistics Block" (this block wasn't 
used before, so we still can change it):
change Interface ID to be 32 bits (was 16 bits and a 16 bit reserved 
field - so it's now consistent with other parts of the doc)
isb_starttime/isb_endtime now uses fractional seconds according to 
if_tsaccur (so it's consistent with other timestamps - was formerly 
fixed to nanoseconds)


I think this spec is now better than before (but still far from being 
perfect), please have a look and comment, hope to hear from you ...

Regards, ULFL