[pcap-ng-format] Multiple section header blocks
Gianluca Varenni
Gianluca.Varenni at riverbed.com
Fri Nov 2 12:35:27 PDT 2012
Correct. The easiest way to generate files with multiple SHBs is by concatenating them. And in order to test a number of scenarios, it's useful to concatenate files coming from different platforms (so that the byte order and link type can be different)
GV
-----Original Message-----
From: pcap-ng-format-bounces at winpcap.org [mailto:pcap-ng-format-bounces at winpcap.org] On Behalf Of Guy Harris
Sent: Thursday, November 01, 2012 11:17 AM
To: Pcap-ng file format
Subject: Re: [pcap-ng-format] Multiple section header blocks
On Nov 1, 2012, at 5:27 AM, Erik Hjelmvik <erik.hjelmvik at gmail.com> wrote:
> My understanding is that it is valid for a pcapng file to contain
> multiple SHB. Is this correct?
Yes.
I seem to remember Michael Richardson of tcpdump.org suggesting that it be possible to combine sequential pcap-ng files by simple concatenation, hence the support for multiple sections.
libpcap 1.1.0 and later have limited support for multiple SHBs; the current libpcap API has a call to get the byte order of the capture file, so it rejects capture files with multiple sections with different byte orders, it has calls to get the link-layer header type and snapshot length of the capture file, so it rejects capture files with Interface Description Blocks that have a link-layer header type or snapshot length different from those of the first IDB it sees. ("Rejects" means "returns an error when it reads the block that shows the problem", not "refuses to open".) _______________________________________________
pcap-ng-format mailing list
pcap-ng-format at winpcap.org
https://www.winpcap.org/mailman/listinfo/pcap-ng-format
More information about the pcap-ng-format
mailing list