[pcap-ng-format] Reading and writing blocks you don't understand
Guy Harris
guy at alum.mit.edu
Thu Jul 17 18:30:49 UTC 2014
If you have a pcap-ng file with a section with a given endianness, and a program that reads a pcap-ng file, processes it in some fashion, and writes out a new file, what should that program do with blocks that it doesn't understand?
If a block contains integral or floating-point values more than one byte long, those values should be written out in the byte order indicated by the SHB for the section containing the block.
If the program in question does not understand that block, it must, when writing the new file, either not write that block, or must write it out unmodified.
The latter choice would require that it write the file section containing the block in the same byte order as the byte order of the same section in the file that it reads - *NOT* the byte order of the host running the program.
I.e., whilst the code that initially creates the contents of a pcap-ng file should write that file's sections out in its own byte order, code that creates a pcap-ng file based on the contents of an existing file should perhaps write that file's sections out in the same byte order as in the existing file.
Unfortunately, that won't work if the code is processing *more than one* file and blocks that would go into the same section in the output file come from sections with different byte orders.
Perhaps the rule should be "if you don't understand it, don't write it", with a *possible* exception that, if it was in your byte order when you read it, you can write it out in a section with the same byte order.
More information about the pcap-ng-format
mailing list