[pcap-ng-format] TODO in pcap-ng specifications

[Guy Harris]

On Jul 25, 2012, at 3:09 PM, Jasper Bongertz <jasper.bongertz at flane.de> wrote:

> On 25.07.2012 04:45, Guy Harris wrote:
> 
>>> shb_hardware			multiple shb_os				multiple shb_userappl
>>> multiple
>> 
>> That would require some way of determining, for instance of one of
>> those options, which instances of the other options go along with
>> it, if any.  If the capture program only supplied shb_hardware and
>> shb_os, and the first program that processed the file after that
>> only supplied shb_userappl, a naive program might think that was
>> the application that captured the trace.  (Either that, or we
>> should mandate that if any of those are present all should be
>> present, but it might be tricky to get some of them on some
>> platforms; I guess we could say "a zero-length string is OK, and it
>> means "I have no clue"".)
> 
> Right, this is a little difficult. These are optional values, so
> people will expect that they can be left out when writing files. I
> could live with "shb_hardware" and "shb_os" being "once" only, but
> "shb_userappl" is nice to have as "multiple". That way I can keep the
> original "dumpcap" string and add a new string with the name of my
> tool that I just used to write the modified file back to disk without
> replacing the original string.

OK, so I'd say either:

	shb_hardware is the hardware on which the capture file was originally created;

	shb_os is the OS on which the capture file was originally created;

	the first shb_userappl is the application that originally created the file, with subsequent shb_userappls being the applications that subsequently wrote it (reading from a file and writing out a new file does *NOT* count as creating the file in this case!);

or

	all three apply to the original creator of the file, and opt_comments are used to say "Edited by Wireshark 1.12.0" or "Filtered by tcpdump 1.8.2" or....

Preferences?