[pcap-ng-format] TODO in pcap-ng specifications
Guy Harris
guy at alum.mit.edu
Wed Jul 25 16:57:17 PDT 2012
On Jul 25, 2012, at 3:09 PM, Jasper Bongertz wrote:
> On 25.07.2012 04:45, Guy Harris wrote:
>
>>> Text: "The filter (e.g. "capture only TCP traffic") used to
>>> capture traffic. The first byte of the Option Data keeps a code
>>> of the filter used (e.g. if this is a libpcap string, or BPF
>>> bytecode, and more). More details about this format will be
>>> presented in Appendix XXX (TODO). (TODO: better use different
>>> options for different fields? e.g. if_filter_pcap, if_filter_bpf,
>>> ...)"
>>>
>>> Maybe this is something for someone who is more specialized in
>>> the capture filter business. I'm not sure if we need different
>>> fields for this.
>>
>> I don't think so. For one thing, what if you have more than one
>> such option? Is a program that cares about it required to assume
>> that, say, an if_filter_bpf value is the result of compiling, on
>> the machine on which the compilation was done, the if_filter_pcap
>> value, or does it need to decide which of those filters was the one
>> actually used?
>>
>> We *should*, however, nail down the code for the first byte.
>
> Okay, how about
>
> Code 1 for libpcap string
> Code 2 for BPF bytecode
Wireshark already assumes
Code 0 for libpcap string
Code 1 for BPF bytecode
so let's go with that instead.
More information about the pcap-ng-format
mailing list