[pcap-ng-format] Reading and writing blocks you don't understand
Michael Tuexen
tuexen at wireshark.org
Sat Jul 19 23:10:14 UTC 2014
On 19 Jul 2014, at 18:58, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Jul 19, 2014, at 3:00 PM, Michael Tuexen <tuexen at wireshark.org> wrote:
>
>> On 17 Jul 2014, at 14:30, Guy Harris <guy at alum.mit.edu> wrote:
>>
>>> If you have a pcap-ng file with a section with a given endianness, and a program that reads a pcap-ng file, processes it in some fashion, and writes out a new file, what should that program do with blocks that it doesn't understand?
>> This is an interesting question... What about using some bits in the block type to indicate
>> what should be done. Basically one bit could mean:
>> * stop processing of the file or continue when reading
>> Another one could mean:
>> * drop when writing or just copy it out.
>>
>> This could also apply to options...
>
> I.e., divide blocks and options into categories, and encode the category in the block type/option code?
>
> I'm not sure why we'd have a "stop processing of the file or continue when reading" bit. I think the intent behind pcap-ng's extensibility is that unknown block types and options can always be ignored - information might be lost, but it wouldn't make it impossible to process the other blocks in the file; even if, for example, the information provided by a block or option is necessary to properly dissect packets, that information could potentially be supplied out-of-band, or the program reading the file could just stop dissecting and just show raw packet data at a point where it doesn't have enough information to continue.
OK. Makes sense.
Best regards
Michael
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
>
More information about the pcap-ng-format
mailing list