[pcap-ng-format] New block types to save the result of analysing a capture(Port map)
Anders Broman
a.broman at bredband.net
Sat Jun 2 03:25:24 PDT 2012
Hi,
It could be useful to have pcap-ng blocks to save information across
analysis sessions such as which protocol
is to be dissected for UDP/TCP/SCTP/.../ packets to/from a port
combination especially if the packets forming the
basis for determining that is no longer in the trace e.i filtered out.
There might also be a need for vendor specified
blocks to save information in a form specific to a analysis tool such as
Wireshark.
How about specifying a block similar to the address resolution block
listing containing:
Carrier protocol (UDP) IP A Port A IP B PORT B Destination protocol RTP
One problem is the protocol names, is a registry needed? String or
number representation? etc..
Comments?
Regards
Anders
More information about the pcap-ng-format
mailing list