[pcap-ng-format] reserving blocks

Jasper Bongertz jasper at packet-foo.com
Mon Feb 10 10:16:54 UTC 2014 

On 10.02.2014 07:12, Loris Degioanni wrote:
> On Fri, Feb 7, 2014 at 2:14 PM, Jasper Bongertz <jasper at packet-foo.com
> <mailto:jasper at packet-foo.com>> wrote:
>
>     Hello Loris,
>
>     can you check if the INTERFACE LIST BLOCK can be replaced with the
>     existing "Interface Description Block", or maybe extented by
>     adding options to it? You can find the one I am talking about at
>     section 3.2 at
>     http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
>
>
>
> The purpose of the INTERFACE LIST BLOCK is storing the list of network
> interfaces (and their addresses) of the machine where the capture has
> been done. The information is somewhat similar to the one included in
> the interface description block, but the semantic is quite different.
> I could encode the INTERFACE LIST BLOCK information in a sequence of
> interface description blocks, but then we would need a way a way to
> specify which interface description block is the one used for capture. 
>

Isn't that the way it is done at the moment? If I capture on multiple
interfaces in Wireshark I'll get a pcap-ng file with multiple Interface
Description Blocks, starting with an index of 0 and incremented by 1 for
each block (the index is not included in the IDB, but the rule is that
the first block has the index 0, the second is index 1 and so on). Each
packet then has an index value in the packet block header, indicating
the IDB of the interface it was captured on. So even if you want to
write interfaces into the trace that aren't used for capture you could
add e.g. ten interface blocks, even if only two are referenced by packets.

>  
>
>
>     The same goes for the PROCESS LIST BLOCK - can you check if the
>     specifications of the block called "Process Event Block" in use by
>     the Hone Project fits your needs? See section 3.1 at
>     https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt
>
>
>
>
> The two blocks are actually very different. The PROCESS LIST
> BLOCK contains a list of machine processes, similar the what ps would
> emit. I can definitely use a different name if you think it's
> confusing. Do you have suggestions?

Can your PROCESS LIST BLOCK be written as chain of hone's PROCESS EVENT
BLOCKs, or doesn't that make any sense? I'm not trying to make things
harder for you, I just want to keep the specifications as duplicate-free
as possible :-)

>
> Loris
>  
>  
>
>
>     I want to avoid having very similar block types twice in the
>     specifications if possible, especially if the names are easily
>     confused as well. If you have to add those two block types as
>     completely new types could you please find names for them that
>     makes them distinguishable from the existing ones?
>
>     Thanks,
>     Jasper
>
>
>     Friday, February 7, 2014, 10:08:11 PM, you wrote:
>
>
>     	I need 6 blocks, that have to do with capturing system events in
>     a new open source tool that I'm about to release. Here they are:
>
>     MACHINE INFO BLOCK
>     PROCESS LIST BLOCK
>     FD LIST BLOCK
>     EVENT BLOCK
>     INTERFACE LIST BLOCK
>     USER LIST BLOCK
>
>     The exact block structures are still work in progress, but I will
>     release the code that implements them.
>
>     So if it's ok with you I will use block numbers 0x201->0x206.
>
>     Loris
>
>
>     On Fri, Feb 7, 2014 at 12:19 PM, Jasper Bongertz
>     <jasper at packet-foo.com <mailto:jasper at packet-foo.com>> wrote:
>     Hello Loris,
>
>     I don't think there is a real process for that right now. A group
>     of developers met last year at Sharkfest at my request to see how
>     to proceed with the existing design specifications. The idea at
>     the moment is to make an RFC out of it, but that is still in
>     progress. We also did not yet define how to add new block types,
>     but we agreed that the existing specification minus the
>     experimental block types should become the 1.0 specification. So
>     anything added on top of that will be in a later official RFC (if
>     we get it to be accepted as an RFC, that is).
>
>     What kind of blocks do you need? The hone project added additional
>     block types like 0x101 and 0x102 on their own, so maybe you could
>     go with something like x201, x202 etc. up for the time being? If
>     that's okay just let me know the block types and structures so I
>     can keep track of them.
>
>     Cheers,
>     Jasper
>
>
>     Friday, February 7, 2014, 8:47:49 PM, you wrote:
>
>
>     	I need to reserve some pcap-ng block types for a project I'm
>     working on. Can anyone remind me the process I need to follow?
>
>
>
>
>
>
>
>     /-- /
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20140210/e5ea6abf/attachment-0001.html>

More information about the pcap-ng-format mailing list