[pcap-ng-format] Reading and writing blocks you don't understand

Michael Tuexen tuexen at wireshark.org
Sat Jul 19 22:00:37 UTC 2014 

On 17 Jul 2014, at 14:30, Guy Harris <guy at alum.mit.edu> wrote:

> If you have a pcap-ng file with a section with a given endianness, and a program that reads a pcap-ng file, processes it in some fashion, and writes out a new file, what should that program do with blocks that it doesn't understand?
This is an interesting question... What about using some bits in the block type to indicate
what should be done. Basically one bit could mean:
* stop processing of the file or continue when reading
Another one could mean:
* drop when writing or just copy it out.

This could also apply to options...

Best regards
Michael
> 
> If a block contains integral or floating-point values more than one byte long, those values should be written out in the byte order indicated by the SHB for the section containing the block.
> 
> If the program in question does not understand that block, it must, when writing the new file, either not write that block, or must write it out unmodified.
> 
> The latter choice would require that it write the file section containing the block in the same byte order as the byte order of the same section in the file that it reads - *NOT* the byte order of the host running the program.
> 
> I.e., whilst the code that initially creates the contents of a pcap-ng file should write that file's sections out in its own byte order, code that creates a pcap-ng file based on the contents of an existing file should perhaps write that file's sections out in the same byte order as in the existing file.
> 
> Unfortunately, that won't work if the code is processing *more than one* file and blocks that would go into the same section in the output file come from sections with different byte orders.
> 
> Perhaps the rule should be "if you don't understand it, don't write it", with a *possible* exception that, if it was in your byte order when you read it, you can write it out in a section with the same byte order.
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
>

More information about the pcap-ng-format mailing list