[pcap-ng-format] Adding more options to the specification

Jasper Bongertz jasper.bongertz at flane.de
Thu May 10 00:50:10 PDT 2012 

Hi all,

   not sure if anyone is reading this at all, I subscribed right away and never
   got anything beyond the status mails. So this is also a test if the list
   works :-)

   My question is this: there are already optional fields in most block types,
   and I wonder if it is still possible to add one or two more without breaking
   support in Wireshark? As far as I understand the specifications it SHOULD be
   possible, since an option is to be ignored if not understood.

   For example: I'd like to add an text option to the SHB to write down what
   program did the capture. There is already an option called "shb_userappl",
   but that is the application name that wrote the section. If (like it is in my
   case) I want to write a pcap-ng file with my own tool, I'd use that option to
   specify my own application name, loosing the original one written by dumpcap
   (or whatever capture program really wrote the capture in the first place). So
   maybe we can add an option called "shb_captureappl" that can be used to write
   down what capture process originally captured the file?

   Also, for EPB's I'd like to add an option called "epb_history" (also a text
   option) that can be used to track changes to a packet. For example "IP
   address anonymized" or something like that. There is a comment field, but I
   feel that it should not be abused for change tracking because it is reserved
   for users to take notes about packets. The format of the history might be
   something like "change1","change2","change3"... so that there can be multiple
   changes separated by comma and enclosed in quotation marks, with the latest
   change at the end of the list.

   Third (and last): can we assign block types to compression and encryption
   blocks, or is there a reason why they do not have any?

   Let  me  know  what  you  think.

Cheers,
Jasper

Jasper Bongertz
Senior Consultant
Fast Lane Institute for Knowledge Transfer GmbH
Dept. Synerity Systems

Hansaallee 249
40549 Düsseldorf
Germany

eMail: jasper.bongertz at flane.de

More information about the pcap-ng-format mailing list