[ntar-workers] Re: Major rework / review of pcapng file format in
CVS - please review
Gianluca Varenni
gianluca.varenni at cacetech.com
Thu Oct 18 15:40:08 GMT 2007
I've just updated the spec online at
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
with the latest version on the ntar CVS.
I will read the document within a couple days.
Have a nice day
GV
----- Original Message -----
From: "Ulf Lamping" <ulf.lamping at web.de>
To: <ntar-workers at winpcap.org>
Cc: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
Sent: Wednesday, October 17, 2007 3:11 AM
Subject: Major rework / review of pcapng file format in CVS - please review
> Hi List!
>
> I've just committed into ntar CVS lot's of changes to the PCAPng
> Specification document. I didn't add any new elements, but tried to
> clarify, remove inconsistencies, ...
>
> Some of the changes were discussed with Gianluca before, some of them I've
> just tried to get a better document - but this very certainly needs
> further work on.
>
>
> What I've changed ...
>
> Lot's of editing:
> change: put block types back into one section (looked ugly) - but keep the
> seperation of them
> add: section "Logical Block Hierarchy" - an attempt to visualize the
> dependencies of the blocks (I'm still not 100% satisfied)
> change: some more file format examples
> add: give example content to the Option fields throughout the doc (lot's
> of TODO here, especially for IPv6)
> change: ASCII art: now includes the block header, byte offsets, ...
> change: obsolete "Packet Block" moved further below other packet blocks
> (it confuses to mention the obsolete block first)
> add: "recommended file name extension .pcapng" section (to avoid the
> situation that we have for libpcap files today)
> add: possible block type 0x0A0D0A00-0x0A0D0AFF (caused by buggy ASCII
> translation of MSIE I've already seen "in the wild")
> add: link layer header appendix (almost empty, needs further work)
> change: add some more TODO and change my previous XXX markers also to TODO
>
> Incompatible changes in "Interface Statistics Block" (this block wasn't
> used before, so we still can change it):
> change Interface ID to be 32 bits (was 16 bits and a 16 bit reserved
> field - so it's now consistent with other parts of the doc)
> isb_starttime/isb_endtime now uses fractional seconds according to
> if_tsaccur (so it's consistent with other timestamps - was formerly fixed
> to nanoseconds)
>
>
> I think this spec is now better than before (but still far from being
> perfect), please have a look and comment, hope to hear from you ...
>
> Regards, ULFL
More information about the ntar-workers
mailing list