[pcap-ng-format] Does anyone actually generate the epb_hash field today?

[Stephen Donnelly]

I don't use the current epb_hash option, but I can see some use cases.

The epb_hash could be a hash, signature, or digest over some part of the
packet 'payload'. This could be just the IP payload, the whole IP datagram,
or the entire Ethernet frame for example. The purpose would be to
accelerate the detection of 'duplicate' packets/payloads. These commonly
occur in some SPAN (or other Network Packet Broker) configurations, when
capturing from multiple VLANs, or when capturing at multiple points in a
network simultaneously.

Duplicates might be excluded from TCP analysis to avoid invalid
retransmission detection, or may be leveraged to measure network/equipment
latency.

Stephen

On Fri, Aug 28, 2015 at 3:05 AM, Hadriel Kaplan <the.real.hadriel at gmail.com>
wrote:

> Howdy,
> I'm not suggesting we get rid of the option, but does any code out
> there actually generate the EPB's epb_hash option?
>
> I have not found any code which does, and it's under-specified in
> terms of what the "algorithms" cover and how their values are encoded.
> (and some of the algorithms seem ludicrous to me - in particular the
> 2's complement and XOR "algorithms")
>
> I propose we remove them from the draft, but reserve their number
> codes (not re-use them) just in case.
>
> -hadriel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20150828/6274d4ee/attachment.html>