[pcap-ng-format] Issue #32: Is an empty option/record string valid?

Wed Aug 26 20:17:13 UTC 2015

Yes, of course - the program reading the file may always override how
to treat what is read from file. We can just specify the meaning of
fields/values in the file format. If a program decides to do something
else that's fine.

on Mittwoch, 26. August 2015 at 22:06 you wrote:

> Any program ought to be able to override it.  For example,
> Wireshark has a "hosts" file that could be used to override
> invalid/obsolete host names or one may simply choose to rename it for whatever reason.

> (See also bug 11470:
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11470)

> -----Original Message-----
> From: pcap-ng-format-bounces at winpcap.org
> [mailto:pcap-ng-format-bounces at winpcap.org] On Behalf Of Jasper Bongertz
> Sent: Wed, August 26, 2015 3:49 PM
> To: Pcap-ng file format
> Subject: Re: [pcap-ng-format] Issue #32: Is an empty option/record string valid?

> I also say it's valid if empty.

> And I'd go for "capturing host doesn't know the host name". I've
> always interpreted the NRB to be a "helper" for name resolution when
> the program reading the file has no access to the DNS that could
> answer PTR queries as if it were still at the capture location. That
> may be interpreted as "if there's no host name, keep it that way",
> because the local DNS may have a different answer (e.g. when looking
> up private IPs that are present in both networks but have nothing in
> common9

> My 2 cents :-)

> on Mittwoch, 26. August 2015 at 20:34 you wrote:

>> On Aug 26, 2015, at 10:43 AM, Hadriel Kaplan 
>> <the.real.hadriel at gmail.com> wrote:

>>> For example just a zero byte for the nrb_record_ipv4/v6 name string 
>>> portions; or not even a zero byte for something like opt_comment or 
>>> if_description.
>>> 
>>> my 2 cents: I would argue they are valid.

>> Yes.

>> They might be *pointless* - a zero-length if_description would be 
>> equivalent to not *having* an if_description - but "pointless" doesn't imply "invalid".

>> Is an NRB record with a zero-length host name just an indication that 
>> the capturing host doesn't know the host name, or should it be treated 
>> as an indication that a program reading the file shouldn't try to 
>> resolve the IP address in question?
>> _______________________________________________
>> pcap-ng-format mailing list
>> pcap-ng-format at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
> CONFIDENTIALITY NOTICE: This message is the property of
> International Game Technology PLC and/or its subsidiaries and may
> contain proprietary, confidential or trade secret information.  This
> message is intended solely for the use of the addressee.  If you are
> not the intended recipient and have received this message in error,
> please delete this message from your system. Any unauthorized
> reading, distribution, copying, or other use of this message or its
> attachments is strictly prohibited.

> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4015 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20150826/c5a2fe83/attachment.bin>