[pcap-ng-format] Addition of new content

Jasper Bongertz jasper at packet-foo.com
Wed Sep 2 22:27:39 UTC 2015 

Hi All,

so far I had been under the impression that we're going not going to
add things to the specs but try to trim/streamline them to a state
where we can push it to be an official "1.0" version.

If we're going to add new block types like an "Interface Event Block"
(IEB) (which makes sense to me) this seems not to be the way to go
anymore, and I'm fine with it as long as it doesn't turn into a
never-ending story (by keeping adding new "cool" stuff).

There are a number of other block types currently not in the specs,
e.g. the crypto blocks by Michael Haney, the blocks used by the Hone
Project (who seem to have now a Windows port as well), and the SysDig
block types. Question is, do we want to add those to the spec first,
or keep what block types we have and aim for a "1.0" with them? That
may also mean not adding a "Interface Event Block" as of now, if we're
fair.

Especially the crypto stuff isn't easily reviewed and may have lots of
discussions coming up. For example I have no idea how to be able to
read  and decode those in my code, but I'm not a crypto guy. They seem
to be pretty complex to handle.

We may also chose to focus on finishing the spec with "normal network
capture related" blocks, leaving out complex blocks used by Hone,
Crypto and SysDig for now, but adding helpers like IEBs, which should
be achievable in a reasonable time frame. I doubt that we can evaluate
and agree on all the others as they're much more complicated and may
lead to a spec that we have to heavily modify in later versions.

What do you think?

Cheers,
Jasper

P.S: I'd like to add an option to all block types to add flags
indicating that they've been edited, sanitized, sliced, reduced in
size by content replacement, expanded in size by content replacement
and maybe a few others. But it can also wait for a later version if we
agree to streamline and not add stuff :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4015 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20150903/42d1cb72/attachment.bin>

More information about the pcap-ng-format mailing list