[pcap-ng-format] Plans to finalize pcap-ng 1.1 spec during July

Fri Jul 4 23:12:06 UTC 2014

On Jul 4, 2012, at 6:54 AM, Jasper Bongertz <jasper.bongertz at flane.de> wrote:

>> 1. Specify that the block total length must be a multiple of four.
>> This allows simple minded parses to skip blocks they don't understand
>> without having to do any work. This aspect is ambiguous, I believe, in
>> the draft spec. It states that the contents of the block must be
>> aligned to 32 bits but the wording for the block total length does not
>> stipulate that, and there are example captures where the length is
>> two-byte aligned.
> 
> This is one of the things where I think we might be able to add that without increasing the version since it should be the case anyway.

The spec currently says nothing explicit about that, but

	1) there are references to 32-bit alignment elsewhere in the spec

and

> I can't remember any block structure that would not be 32 bit aligned

	2) all blocks we define, and the blocks defined for the Hone project:

		https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt

	   have sizes that are multiples of 4 bytes (the spec uses "aligned to 32 bits" for variable-length fields in a number of places where it presumably means "*padded* to 32 bits", as all the stuff preceding the field is aligned on a 32-bit boundary).

So I'd say we should

	1) clarify that "aligned to 32 bits" means "padded to a multiple of 32 bits" (probably by restating it in that fashion)

and

	2) indicate that lengths MUST be a multiple of 4 bytes.

I don't think this needs a version number change.

If there are no objections, I'll update the draft-tuexen-opsawg-pcapng.xml document in the SVN repository to reflect that.  (I assume that's the version of the document on which we should be working; it has some updates beyond what are in PCAP-DumpFileFormat.xml.)