[pcap-ng-format] "Hardware, OS, User application" - separate options for "what did the capture?" and "what's processed the file"?

Wed Jun 8 23:07:06 UTC 2016

Another way to deal with merging:

Add a new block type, a "Merged-From Section Header Block".

An MFSHB, or whatever we end up calling it, has no mandatory content, only options.  It can have any option that can appear in an SHB.

MFSHBs must all be immediately after an SHB or another MFSHB, so a section begins with an SHB, followed by zero or more MFSHBs, followed by the rest of the blocks in the section.

When files not themselves produced by merging are merged, the merging program should, after the SHB for a section, put MFSHBs for all the sections that contributed blocks to the new section (possibly including sections that didn't, as it might not be possible to rule out sections until they've been completely processed), containing the options from that SHB.

A new if_mergedfrom IDB option should be added; it has a 32-bit integral value, and multiple if_mergedfrom options can appear in an IDB.  When merging files, an IDB from an input file should have if_mergedfrom options with the ordinal numbers of the MFSHBs from the sections from which it came; "sections" because, if the merging program decided that interface XXX in file A and interface YYY in file B are the same interface, it should flag it as having come from both files.

If files that were themselves produced by merging are merged:

	1) all the MFSHBs from the input files should appear in the output file;

	2) IDBs for interfaces should refer to the MFSHB for the file from which they originally came - i.e., the if_mergedfrom options should be updated to refer to the MFSHB in the output file that came from the one in its input file and to which it referred in the input file;

	3) we could add an additional MFSHB for this merger-of-mergers - but if we use comments to preserve the editing history, that shouldn't be necessary.

NOTE: the current pcapng spec speaks of shb_hardware, shb_os, and shb_userappl as being for the hardware/OS/application "used to create this section."  That should perhaps be clarified so that it indicates what counts as "creating" a section - if you just open up a file in Wireshark, add a comment to a frame, and save it, that might not count as "creating" the section, as it already exists, but what about programs that read a file and write another file?  Should those record the information about the writing program in the SHB, and use the MFSHB (renamed to indicate that it's for more than just merging) to preserve the original file information?  Or should programs that don't do merging just add comments to indicate that the file was filtered/anonymized/etc. by some program?