[pcap-ng-format] Multiple section header blocks
Carpenter, Brandon J
brandon.carpenter at pnnl.gov
Thu Nov 1 09:34:59 PDT 2012
Erik,
It is perfectly valid to have multiple SHBs in a single PCAP-NG file,
however, Wireshark currently supports only a single section header
block. I was working on improvements to Wireshark PCAP-NG handling
several months ago with support for multiple section header blocks
(among other things). The work is not complete, and I hope to get back
to it soon, but I can send you a patch for what I have.
Brandon
On 11/01/2012 05:27 AM, Erik Hjelmvik wrote:
> Hi all,
>
> I'm currently implementing PcapNG support in NetworkMiner, and added
> the ability to support multiple Section Header Blocks (so that both
> big and little endian frames can coexist in the same file). However,
> in order to verify my implementation I'd like to compare my parsing
> results to some other tool. I tried opening a pcapng file with
> multiple SHB in Wireshark, but it seems this isn't supported in
> Wireshark.
>
> My understanding is that it is valid for a pcapng file to contain
> multiple SHB. Is this correct?
>
> Do you know of any other tool that supports multuple SHB that I can
> use to verify against?
>
> Thanks!
>
> Regards,
> Erik
>
More information about the pcap-ng-format
mailing list