[pcap-ng-format] Addition of new content

Guy Harris guy at alum.mit.edu
Fri Sep 4 08:05:35 UTC 2015 

On Sep 3, 2015, at 10:23 PM, Michael Haney <michael-haney at utulsa.edu> wrote:

> > capinfos network-tap.pcapng 
> capinfos: Can't open network-tap.pcapng: The file isn't a capture file in a known format

That's the wrong report - it *should* have said that it was a pcapng file with an unsupported *version*.

Which version of capinfos was that?

> I see your point. My confusion came from the idea that any pcapng-compatible code should be built to skip over blocks it doesn't understand, and that unknown additional blocks can safely be skipped.

...which means that pcapng-compatible code need not be informed of any change by a version number change unless that change makes it impossible for it to read the new file format.

> In my mind, adding additional blocks, while keeping all the v1.0 blocks well-formed, should be indicated by some kind of version change

So any time anybody creates a private block type or a custom block type, the version number should be changed?

There's nothing special about new block types in the spec - from the point of view of code that reads files, unknown block types are unknown block types, regardless of whether the block type value is in the range 0x00000000 through 0x00000BAC, 0x00000BAD, in the range 0x00000BAE through 0x40000BAC, 0x40000BAD, in the range 0x40000BAE through 0x7FFFFFFF, or in the range 0x80000000 through 0xFFFFFFFF.

> but not necessarily stop a tool in its tracks.  Files that have proper v1.0 blocks in place but also have extra blocks not defined in the v1.0 spec - seems to me - should be something other than v1.0 files.

It seems to *me* that if we ever have to change the version number from 1.0 for compatibility reasons, we've failed in achieving the "Extensibility" goal in the introduction to the pcapng spec:

	It should be possible to add new standard capabilities to the file format over time, and third parties should be able to enrich the information embedded in the file with proprietary extensions, with tools unaware of newer extensions being able to ignore them.

More information about the pcap-ng-format mailing list