[pcap-ng-format] Some questions about the pcapng draft
Hadriel Kaplan
the.real.hadriel at gmail.com
Wed Jul 22 13:10:51 UTC 2015
Howdy,
I have some questions for the draft to clear up:
1) Can there be multiple opt_comment options for the same block?
(i.e., can you add a second, third, fourth, ...)
2) Are IPv4 address fields in all blocks/options always encoded in
network byte order? (since some programs internally represent them as
a uint32_t, this should be indicated in the draft)
3) For the Section Header Block’s shb_hardware, shb_os, and
shb_userappl options: should/must capture file re-writers replace
these values? For example, should mergecap replace them when it merges
two pcapng files? Should tshark/Wireshark replace them, if they had
filtered out some packets from the original pcapng file? What if it
only converts from pcapng version X to future pcapng version Y?
4) Should capture file re-writers pass-through unknown blocks and
options, or should they remove them? If they copy/keep them, the
endianess of their payloads may get screwed up.
Perhaps question 3+4 above are out-of-scope for the draft, since it’s
technically a file format spec not an app implementation doc. But the
Introduction said two of the goals were “Portability” and
"Merge/Append data”, so perhaps an appendix with recommendations for
such actions would be useful?
-hadriel
More information about the pcap-ng-format
mailing list