[pcap-ng-format] TODO in pcap-ng specifications

Guy Harris guy at alum.mit.edu
Thu Jun 2 03:03:49 UTC 2016 

On Jul 24, 2012, at 6:49 AM, Jasper Bongertz <jasper.bongertz at flane.de> wrote:

> I've just spent a little time in the specs and searched for all TODOs to
> see what can be done about them. I have created a text document with my
> thoughts, and maybe some of you can take a look at it and we can start a
> discussion about it to get things going.
> 
> If nobody disagrees I will replace the simple TODO items (for the
> examples mostly) in the SVN sometime end of this week.

OK, for the options we have, from the TODO list:

opt_endofopt		only once, if at all
opt_comment		multiple
shb_hardware		multiple  
shb_os			multiple
shb_userappl		multiple
if_name			once
if_description		once
if_IPv4addr		multiple
if_IPv6addr		multiple
if_MACaddr		once
if_EUIaddr		once
if_speed		once
if_tsresol		once
if_tzone		once
if_filter		once
if_os			once
if_fcslen		once
if_tsoffset 		once
epb_flags		once
epb_hash		once
epb_dropcount		once
pack_flags		once
pack_hash		once
ns_dnsname		multiple
ns_dnsIP4addr		multiple
ns_dnsIP6addr		multiple
isb_starttime		once
isb_endtime		once
isb_ifrecv		once
isb_ifdrop		once
isb_filteraccept	once
isb_osdrop		once
isb_usrdeliv		once

I've added a "Multiple allowed?" column to the tables of options, and filled it in.  Most of them agree with the above, except for:

	shb_hardware		multiple  
	shb_os			multiple
	shb_userappl		multiple

For those, I put "no" in - if the capture isn't the result of a merger, they should record information about the machine on which the capture was done, leaving out subsequent processing, and, if it *is* the result of a merger, we need more information than just a list of those values, we need to indicate which hardware/os/userappl combinations belong to which of the input files.

See my "merge IDs" option proposal in another thread.

	ns_dnsname		multiple
	ns_dnsIP4addr		multiple
	ns_dnsIP6addr		multiple

For those, I put "no" in - if the name/address pairings in the capture come from multiple different servers, there should be multiple NRBs, one for each server.  That way, there's an indication of which server provided which addresses.

Perhaps there could be multiple addresses, if the server has multiple IP addresses, but only one name - and if the different addresses actually correspond to different servers, all given the same name, perhaps even there there should be different NRBs.

	epb_hash		once
	pack_hash		once

For those, I put "yes" in - there could be multiple hashes for a packet, computed with different hash algorithms.

In addition, multiple custom options are allowed; we can't specify policy for an escape hatch....

More information about the pcap-ng-format mailing list