[pcap-ng-format] I've updated the spec to note that IDBs don't all have to be at the beginning of the file
Guy Harris
guy at alum.mit.edu
Tue May 20 18:54:09 UTC 2014
The only restriction on IDBs is that an IDB for an interface must appear before any EPB/SPB/PB for packets on that interface.
A capturing program could conceivably start capturing on a given set of interfaces and, in the middle of the capture process, add another interface to the list of interfaces. This could either happen by explicitly opening an additional interface or by capturing on a special "capture on everything" pseudo-interface (such as libpcap-on-Linux's "all" interface or OS X Mavericks's libpcap's "any"/"all" interface).
On "capture on everything" interfaces, arguably the capture file should have IDBs for the actual interfaces, rather than for the pseudo-interface, if possible, so that you can tell on which interface a packet arrived.
More information about the pcap-ng-format
mailing list