[pcap-ng-format] Application state records or options

[Richard Sharpe]

Hi folks,

Following up on a comment of mine on the Wireshark Development mailing
list, Anders Broman said:

> I'd like to discuss the pcap-ng track further, a new tread
> on the pcap-ng mailing list? (or at least CC) https://www.winpcap.org/mailman/listinfo/pcap-ng-format
> How about a block or blocks with a port to protocol map similar to the address resolution block
> ( TCP,UDP,SCTP... port map) a Wireshark conversations block might be a nice idea too so vendor
> specified blocks could be useful too.

I can see the need for what Anders suggests, but I would also like to
suggest that there is a need for some sort of Application State
records or options. I will leave it up to Anders to formally raise the
topic of port map blocks in pcap-ng.

There are many cases where people want to save just the few packets
that are of interest to them, however, if they do not save enough
packets (and often times they don't know what they need to save) the
saved packets can not be dissected properly by Wireshark (or other
programs) any longer.

It would be useful if there was some standard way for applications to
save state that they might need in order to dissect packets. My view
on this is that we should not overspecify the state. Simply specify it
as an application specific blob.

While such state could be recorded up front before any relevant
packets, it is possible that there might even need to be a per-packet
option allowing state to be saved with a packet as well.

Obviously, applications are not required to save such state, and the
default would probably be not to save any state. Further, of course,
applications like Wireshark will require some further development
before this state is useful.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)