[pcap-ng-format] Multiple SHBs in a file

Jasper Bongertz jasper at packet-foo.com
Sun Aug 23 00:24:50 UTC 2015 

I agree, handling multiple SHBs IS painful (and I have to admit my
code in TraceWrangler isn't covering all the implications, but it
looks like I'm going to have to rewrite at least some of my pcapng
loader/writer code soon anyway).

I have never seen a file that had multiple concatenated sections
except one demo file that was broken. But this doesn't mean that there
may be a reason for it being used in the future.

I'd probably keep the option of having multiple SHBs even if it means
more work for implementing code to be able to process them. This is
something that needs to be done only once for each loader library, so
once it's done the pain is over (more or less). And if someone writing
his own loader code doesn't handle a second SHB and aborts loading
that's fine with me, too.

And I think at least one SHB is needed for the file magic and byte
order anyway, basically making it a FHB (file header block).

Saturday, August 22, 2015, 1:44:44 AM, Gianluca Varenni wrote:

> The original reason for multiple SHBs is exactly the one you
> mentioned i.e. being able to concatenate two files by just using
> "cat" or similar. With pcap, you need to have some tool to manually
> do that. And I agree, having to manage multiple SHBs in a file is a
> major pain, because every section has its own interfaces and it
> might even have different byte orders. I did implement support for
> it in NTAR, it was painful. At the same time, if you don't use
> multiple SHBs in a file, you can wonder why you have an SHB in the file to begin with...

> -----Original Message-----
> From: pcap-ng-format-bounces at winpcap.org
> [mailto:pcap-ng-format-bounces at winpcap.org] On Behalf Of Hadriel Kaplan
> Sent: Friday, August 21, 2015 4:09 PM
> To: Pcap-ng file format
> Subject: [pcap-ng-format] Multiple SHBs in a file

> Hi,
> Is there an actual, practical, use-case for having multiple Section
> Header Blocks in a single PCAP-NG file?

> It makes read-processing a file far more complicated, and I don't
> see any real benefit in return - except maybe for a dumb "file merger"
> which just concatenates SHB sections from separate files into one file
> - but I'm not sure why we should complicate the file format for that one action.

> Is there any existing application which can truly read-process a
> file with multiple SHBs? Is there an existing application which
> generates/creates a file with multiple SHBs?

> Because if not, I propose we get rid of it.

> -hadriel
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format



-- 
Best regards,
 Jasper                            mailto:jasper at packet-foo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3681 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20150823/6b7ca477/attachment-0001.bin>

More information about the pcap-ng-format mailing list