[pcap-ng-format] Reading and writing blocks you don't understand
Guy Harris
guy at alum.mit.edu
Thu Jul 17 19:57:59 UTC 2014
On Jul 17, 2014, at 11:30 AM, Guy Harris <guy at alum.mit.edu> wrote:
> Perhaps the rule should be "if you don't understand it, don't write it", with a *possible* exception that, if it was in your byte order when you read it, you can write it out in a section with the same byte order.
This applies not only to *blocks* you don't understand, but to *options* you don't understand.
Note also that, when merging pcap-ng files, copying blocks or options you don't understand might produce an incorrect file; if, for example, you have some new block type that, like an IDB, describes some item and gives that item an ordinal number, and you have some new option for packet blocks that refers to blocks of that type by the block's ordinal number, merging files will require assigning new ordinal numbers to those blocks.
This strongly suggests that the exception above should not be allowed, and if code doesn't understand a block or option, it should not write that block or option out when writing out a file.
More information about the pcap-ng-format
mailing list