[pcap-ng-format] Plans to finalize pcap-ng 1.1 spec during July

Fulvio Risso fulvio.risso at polito.it
Mon Jul 7 16:51:45 UTC 2014 

Dear Guy, no objections from my side.
Thank you very much,

	fulvio


On 05/07/2014 01:12, Guy Harris wrote:
>
> On Jul 4, 2012, at 6:54 AM, Jasper Bongertz <jasper.bongertz at flane.de> wrote:
>
>>> 1. Specify that the block total length must be a multiple of four.
>>> This allows simple minded parses to skip blocks they don't understand
>>> without having to do any work. This aspect is ambiguous, I believe, in
>>> the draft spec. It states that the contents of the block must be
>>> aligned to 32 bits but the wording for the block total length does not
>>> stipulate that, and there are example captures where the length is
>>> two-byte aligned.
>>
>> This is one of the things where I think we might be able to add that without increasing the version since it should be the case anyway.
>
> The spec currently says nothing explicit about that, but
>
> 	1) there are references to 32-bit alignment elsewhere in the spec
>
> and
>
>> I can't remember any block structure that would not be 32 bit aligned
>
> 	2) all blocks we define, and the blocks defined for the Hone project:
>
> 		https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt
>
> 	   have sizes that are multiples of 4 bytes (the spec uses "aligned to 32 bits" for variable-length fields in a number of places where it presumably means "*padded* to 32 bits", as all the stuff preceding the field is aligned on a 32-bit boundary).
>
> So I'd say we should
>
> 	1) clarify that "aligned to 32 bits" means "padded to a multiple of 32 bits" (probably by restating it in that fashion)
>
> and
>
> 	2) indicate that lengths MUST be a multiple of 4 bytes.
>
> I don't think this needs a version number change.
>
> If there are no objections, I'll update the draft-tuexen-opsawg-pcapng.xml document in the SVN repository to reflect that.  (I assume that's the version of the document on which we should be working; it has some updates beyond what are in PCAP-DumpFileFormat.xml.)
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
>

More information about the pcap-ng-format mailing list