[pcap-ng-format] The "scope" of the Name Resolution Block

Hadriel Kaplan the.real.hadriel at gmail.com
Wed Sep 2 01:54:37 UTC 2015 

On Tue, Sep 1, 2015 at 1:24 PM, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Sep 1, 2015, at 7:53 AM, Hadriel Kaplan <the.real.hadriel at gmail.com> wrote:
>
>> If its scope is only the local SHB section:
>>
>> - Then as a capture device, you'd have to repeat it for each section
>> in a file, if you add new sections (due to things like interfaces
>> going away or their local IPs changing due to DHCP, since the only
>> means we have of doing that is by adding SHBs).
>
> That's a bug.
>
> What we *should* have is an Interface Update Block, which has, as its fixed data, an interface ID, followed by the same options that an Interface Description Block has, indicating what interface properties changed.  Perhaps it should also have a time stamp to indicate *when* the information changed.

How about a "Interface Event Block", which has as its fixed data the
Interface ID, timestamp, and Event Type which is one of:
0 = Link Up
1 = Link Down
2 = Enabled
3 = Disabled
4 = Info Changed

For the last one "Info Changed", the options in the block replace the
existing ones - i.e., if the interface already had an IPv4 address and
a new one got added, this block will have both the old and new one; if
the old one got replaced by the new one, this block has just the new
one; if the old one went away without a replacement, this one has no
if_IPv4addr option. I would, however, like to restrict it so that
if_tsresol, if_tzone, if_fcslen, and if_tsoffset cannot be changed
this way; they require creating a new IDB or a new SHB and IDB. (it's
really complicated to handle those things changing in the middle of an
SHB otherwise)

The "Enabled"/"Disabled" ones could be used if either the admin
enabled/disabled the interface, or the interface went away or later
came back. (or make the latter scenarios new event types)

The "Link Up" and "Link Down" ones are self-evident.

We could also just give each of these "events" their own block number,
instead of using an Event Type field - it's not like we're going to
run out of block numbers. :)

-hadriel

More information about the pcap-ng-format mailing list