[pcap-ng-format] Fwd: Some questions about the pcapng draft

Hadriel Kaplan the.real.hadriel at gmail.com
Wed Jul 22 17:06:30 UTC 2015 

On Wed, Jul 22, 2015 at 9:22 AM, Jasper Bongertz <jasper at packet-foo.com> wrote:
> The only reason I can think of to use multiple comments if abusing
> them for something else, e.g. if I want an option for "this packet was
> sanitized" and it doesn't exist (or won't be added, for whatever
> reason). But in that case I'd prefer adding a specific option instead
> of abusing comments ;-)

A couple reasons for multiple distinct comments:
- if a capture file is being sent back-forth between multiple parties,
they can add comments to previous comments to keep a running record.
For example if you're exchanging it among developers or support
people, and the first one writes "this is the problem with Foo", and
the next one writes "but field X means it's not Foo", and so on.
- if the application adds its own comments. (as mergecap and wireshark
do in some cases)


>> 3) For the Section Header Block’s shb_hardware, shb_os, and
>> shb_userappl options: should/must capture file re-writers replace
>> these values? For example, should mergecap replace them when it merges
>> two pcapng files? Should tshark/Wireshark replace them, if they had
>> filtered out some packets from the original pcapng file? What if it
>> only converts from pcapng version X to future pcapng version Y?
>
> That is something I asked a while ago, too. My idea would be to keep
> the original values no matter what (because I do like to know the
> original capture situation) and add an option to the next version like
> "shb_editor" that can be added when files are merged/edited/sanitized.
> Right now TraceWrangler and Mergecap both write into the file comment
> option instead, as far as I remember.

Yes, mergecap does not copy anything over for the SHB, and adds its
own SHB comment from scratch, as well as shb_user_appl of itself.
Wireshark, when merging files through the GUI, will not copy the SHB's
shb_hardware nor shb_os options, but will copy the first file's SHB
opt_comment and append stuff to it, for the new file; it will also add
a shb_user_appl of itself (not from the merged files).

For file editing/exporting, tshark, wireshark and editcap will
copy/keep the original SHB's known options, including comments; they
will add a shb_user_appl of themselves only if the original was empty.

-hadriel

More information about the pcap-ng-format mailing list