[pcap-ng-format] Reading and writing blocks you don't understand
Michael Tuexen
tuexen at wireshark.org
Sat Jul 19 22:03:26 UTC 2014
On 17 Jul 2014, at 15:57, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Jul 17, 2014, at 11:30 AM, Guy Harris <guy at alum.mit.edu> wrote:
>
>> Perhaps the rule should be "if you don't understand it, don't write it", with a *possible* exception that, if it was in your byte order when you read it, you can write it out in a section with the same byte order.
>
> This applies not only to *blocks* you don't understand, but to *options* you don't understand.
See my message sent a minute ago...
Best regards
Michael
>
> Note also that, when merging pcap-ng files, copying blocks or options you don't understand might produce an incorrect file; if, for example, you have some new block type that, like an IDB, describes some item and gives that item an ordinal number, and you have some new option for packet blocks that refers to blocks of that type by the block's ordinal number, merging files will require assigning new ordinal numbers to those blocks.
>
> This strongly suggests that the exception above should not be allowed, and if code doesn't understand a block or option, it should not write that block or option out when writing out a file.
>
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
>
More information about the pcap-ng-format
mailing list