[pcap-ng-format] Application state records or options

Anders Broman anders.broman at ericsson.com
Tue Jun 5 00:34:06 PDT 2012


-----Original Message-----
From: pcap-ng-format-bounces at winpcap.org [mailto:pcap-ng-format-bounces at winpcap.org] On Behalf Of Richard Sharpe
Sent: den 2 juni 2012 19:22
To: Pcap-ng file format
Subject: [pcap-ng-format] Application state records or options

Hi folks,

Following up on a comment of mine on the Wireshark Development mailing list, Anders Broman said:

>> I'd like to discuss the pcap-ng track further, a new tread on the 
>> pcap-ng mailing list? (or at least CC) 
>> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
>> How about a block or blocks with a port to protocol map similar to the 
>> address resolution block ( TCP,UDP,SCTP... port map) a Wireshark 
>> conversations block might be a nice idea too so vendor specified blocks could be useful too.

>I can see the need for what Anders suggests, but I would also like to suggest that there is a need for some sort of Application State records or options. I will leave it up to Anders to >formally raise the topic of port map blocks in pcap-ng.

>There are many cases where people want to save just the few packets that are of interest to them, however, if they do not save enough packets (and often times they don't know what they >need to save) the saved packets can not be dissected properly by Wireshark (or other
>programs) any longer.

>It would be useful if there was some standard way for applications to save state that they might need in order to dissect packets. My view on this is that we should not overspecify the >state. Simply specify it as an application specific blob.

>While such state could be recorded up front before any relevant packets, it is possible that there might even need to be a per-packet option allowing state to be saved with a packet as >well.

>Obviously, applications are not required to save such state, and the default would probably be not to save any state. Further, of course, applications like Wireshark will require some 
>further development before this state is useful.

How about a "Sniffer information block"/"Trace information bock" to go together with SHB IDB ... At the begining of the trace whit a "Vendor information" blob to be defined by the sniffer aplication pacap-ng only
Specifies the header and the Vendor ID format. Perhaps just a string to avoid registery or use http://www.iana.org/assignments/enterprise-numbers then a vendor option (with sub options? Or just repeated if needed)
in all block or a "trace information option" with a vendor part in it.

Richard Sharpe
pcap-ng-format mailing list
pcap-ng-format at winpcap.org

More information about the pcap-ng-format mailing list