[pcap-ng-format] Multiple SHBs in a file

Anders Broman anders.broman at ericsson.com
Sat Aug 22 10:20:38 UTC 2015 


Skickat från min Sony Xperia™-smartphone

---- Vincent Lubet skrev ----

> Apple has packet capture tools that create multiple SHB in a singe pcang-ng file and the shipping version of tcpdump for OS X has been able to read for 2 release.

You should probably contribute that code to tcpdump. 

> 
> The nice thing about inserting a new SHB is that it not only resets the list of interfaces but also other types of blocks. Gor example we have custom block for processes which can long for large capture files.

You should reserve those blocktypes with pcap-ng.
Regards 
Anders

> 
> Vincent
> 
> 
> > On Aug 21, 2015, at 4:44 PM, Gianluca Varenni <Gianluca.Varenni at riverbed.com> wrote:
> > 
> > The original reason for multiple SHBs is exactly the one you mentioned i.e. being able to concatenate two files by just using "cat" or similar. With pcap, you need to have some tool to manually do that. And I agree, having to manage multiple SHBs in a file is a major pain, because every section has its own interfaces and it might even have different byte orders. I did implement support for it in NTAR, it was painful. At the same time, if you don't use multiple SHBs in a file, you can wonder why you have an SHB in the file to begin with...
> > 
> > -----Original Message-----
> > From: pcap-ng-format-bounces at winpcap.org [mailto:pcap-ng-format-bounces at winpcap.org] On Behalf Of Hadriel Kaplan
> > Sent: Friday, August 21, 2015 4:09 PM
> > To: Pcap-ng file format
> > Subject: [pcap-ng-format] Multiple SHBs in a file
> > 
> > Hi,
> > Is there an actual, practical, use-case for having multiple Section Header Blocks in a single PCAP-NG file?
> > 
> > It makes read-processing a file far more complicated, and I don't see any real benefit in return - except maybe for a dumb "file merger"
> > which just concatenates SHB sections from separate files into one file
> > - but I'm not sure why we should complicate the file format for that one action.
> > 
> > Is there any existing application which can truly read-process a file with multiple SHBs? Is there an existing application which generates/creates a file with multiple SHBs?
> > 
> > Because if not, I propose we get rid of it.
> > 
> > -hadriel
> > _______________________________________________
> > pcap-ng-format mailing list
> > pcap-ng-format at winpcap.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.winpcap.org_mailman_listinfo_pcap-2Dng-2Dformat&d=BQICAg&c=eEvniauFctOgLOKGJOplqw&r=SWz7qLYH1WllKF9SsHbg3g&m=dV_wLImGp666Xx-UPPYzYZRBDJMJwJ8RpvDe5nsG1K8&s=rBEbgCLx4ItIhLT47vfIso4_7Wwd27n0VzIqpS-0Tow&e= 
> > _______________________________________________
> > pcap-ng-format mailing list
> > pcap-ng-format at winpcap.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.winpcap.org_mailman_listinfo_pcap-2Dng-2Dformat&d=BQICAg&c=eEvniauFctOgLOKGJOplqw&r=SWz7qLYH1WllKF9SsHbg3g&m=dV_wLImGp666Xx-UPPYzYZRBDJMJwJ8RpvDe5nsG1K8&s=rBEbgCLx4ItIhLT47vfIso4_7Wwd27n0VzIqpS-0Tow&e=
> 
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format

More information about the pcap-ng-format mailing list