[pcap-ng-format] Reading and writing blocks you don't understand

Michael Richardson mcr at sandelman.ca
Sun Jul 20 00:06:55 UTC 2014 

Guy Harris <guy at alum.mit.edu> wrote:
    >>> This is an interesting question... What about using some bits in the
    >>> block type to indicate what should be done. Basically one bit could
    >>> mean: * stop processing of the file or continue when reading Another
    >>> one could mean: * drop when writing or just copy it out.
    >>
    >> Yes, have a critical bit in the option space.

    > By "critical bit" do you mean "if you can't understand this block, you
    > can't understand the file", so that if you're reading the file and see
    > a block with that bit set, you have to stop processing the file"?

Yes.  It would be set rarely, but it provides the right out to the conundrum
of wanting to both be general, and also not to fail.

    > An
    > IDB would be such a block, as you can't interpret packet blocks without
    > knowing the link-layer header type for the interface for the packet,
    > and one might consider packet blocks to be critical, too, as there's
    > not much to analyzer if you can't read a packet block. :-)

It could even be that there are multiple kinds of critical bit; if you are a
tool that doesn't care about the link-layer header, because actually you are
just slicing and dicing ("cat", "sort", etc.) the file, not interpreting the
contents.

    > Ideally, we wouldn't introduce those, as that'd mean there'd be pcap-ng
    > files that no old software could read, even with a loss of information.

Of course, there might be a --ignore-critical option.

    > In some sense, adding such a block would mean you've bumped the minor
    > version number; however, using the minor version number in that fashion
    > means you'd want to set the minor version number based on whether
    > you're going to write out a block of that type or not, which might
    > require going back and fixing the version number afterwards if you
    > can't determine that ahead of time - and a program that can write to a
    > pipe can't go back and fix the version number afterwards.

Agreed.   I don't know how often the we would not know ahead of
time.  Certainly in the case of the capture side, we know what the link layer
blocks need to be.
In the case of merging files such as using literal /bin/cat, we might not know.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

More information about the pcap-ng-format mailing list