[pcap-ng-format] reserving blocks

Loris Degioanni loris.degioanni at gmail.com
Mon Feb 10 06:12:06 UTC 2014 

On Fri, Feb 7, 2014 at 2:14 PM, Jasper Bongertz <jasper at packet-foo.com>wrote:

>  Hello Loris,
>
> can you check if the INTERFACE LIST BLOCK can be replaced with the
> existing "Interface Description Block", or maybe extented by adding options
> to it? You can find the one I am talking about at section 3.2 at
> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
>


The purpose of the INTERFACE LIST BLOCK is storing the list of network
interfaces (and their addresses) of the machine where the capture has been
done. The information is somewhat similar to the one included in the
interface description block, but the semantic is quite different. I could
encode the INTERFACE LIST BLOCK information in a sequence of interface
description blocks, but then we would need a way a way to specify which
interface description block is the one used for capture.



>
> The same goes for the PROCESS LIST BLOCK - can you check if the
> specifications of the block called "Process Event Block" in use by the Hone
> Project fits your needs? See section 3.1 at
> https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt
>


The two blocks are actually very different. The PROCESS LIST BLOCK contains
a list of machine processes, similar the what ps would emit. I can
definitely use a different name if you think it's confusing. Do you have
suggestions?

Loris



>
> I want to avoid having very similar block types twice in the
> specifications if possible, especially if the names are easily confused as
> well. If you have to add those two block types as completely new types
> could you please find names for them that makes them distinguishable from
> the existing ones?
>
> Thanks,
> Jasper
>
>
> Friday, February 7, 2014, 10:08:11 PM, you wrote:
>
>
>  I need 6 blocks, that have to do with capturing system events in a new
> open source tool that I'm about to release. Here they are:
>
> MACHINE INFO BLOCK
> PROCESS LIST BLOCK
> FD LIST BLOCK
> EVENT BLOCK
> INTERFACE LIST BLOCK
> USER LIST BLOCK
>
> The exact block structures are still work in progress, but I will release
> the code that implements them.
>
> So if it's ok with you I will use block numbers 0x201->0x206.
>
> Loris
>
>
> On Fri, Feb 7, 2014 at 12:19 PM, Jasper Bongertz <jasper at packet-foo.com>
> wrote:
> Hello Loris,
>
> I don't think there is a real process for that right now. A group of
> developers met last year at Sharkfest at my request to see how to proceed
> with the existing design specifications. The idea at the moment is to make
> an RFC out of it, but that is still in progress. We also did not yet define
> how to add new block types, but we agreed that the existing specification
> minus the experimental block types should become the 1.0 specification. So
> anything added on top of that will be in a later official RFC (if we get it
> to be accepted as an RFC, that is).
>
> What kind of blocks do you need? The hone project added additional block
> types like 0x101 and 0x102 on their own, so maybe you could go with
> something like x201, x202 etc. up for the time being? If that's okay just
> let me know the block types and structures so I can keep track of them.
>
> Cheers,
> Jasper
>
>
> Friday, February 7, 2014, 8:47:49 PM, you wrote:
>
>
>  I need to reserve some pcap-ng block types for a project I'm working on.
> Can anyone remind me the process I need to follow?
>
>
>
>
>
>
>
> *-- Best regards, Jasper                            *
> mailto:jasper at packet-foo.com <jasper at packet-foo.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20140209/197d6800/attachment.html>

More information about the pcap-ng-format mailing list