[pcap-ng-format] The "scope" of the Name Resolution Block
Hadriel Kaplan
the.real.hadriel at gmail.com
Wed Sep 2 12:22:58 UTC 2015
On Tue, Sep 1, 2015 at 11:27 PM, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Sep 1, 2015, at 6:54 PM, Hadriel Kaplan <the.real.hadriel at gmail.com> wrote:
>
>> How about a "Interface Event Block", which has as its fixed data the
>> Interface ID, timestamp, and Event Type which is one of:
>> 0 = Link Up
>> 1 = Link Down
>> 2 = Enabled
>> 3 = Disabled
>> 4 = Info Changed
>
> At least two file formats (i4b, i.e. ISDN4BSD, and EyeSDN - yes, there's a theme here :-)) have layer 1 event records that have descriptive text as the contents (EyeSDN also has a direction indication, which I guess is user->network or network->user).
>
> Should we support something such as that, or should we use custom blocks for them? It *might* be useful to tie them to an interface (although nothing forbids a custom block from including an interface ID).
My 2 cents: for ISDN (or really anything on T1/E1 phy) a layer-1 event
like Loss of Signal should be a Interface Event for Type "Link Down",
but yeah descriptive text would be useful anyway for things we can't
map, like alarm indications being set/cleared or out-of-frame and so
on. I guess adding another Event Type for "Unknown" or "other" (or
both) would be useful. And of course a string option to go along with
it.
-hadriel
More information about the pcap-ng-format
mailing list