[pcap-ng-format] "Hardware, OS, User application" - separate options for "what did the capture?" and "what's processed the file"?

[Guy Harris]

If a capture is done, it might be useful to record, for the machine to which the physical interface on which the capture was done is attached:

	the hardware of that machine;

	the OS that machine is running;

	the application that did the capturing;

if they are available.

This is *NOT* necessarily the same as the machine that wrote out the pcapng file, because this could be done as the result of a *remote* capture.  Consider, for example, a Windows box running WinDump or Wireshark doing an rpcap capture with the rpcap server being a Linux box.  The "hardware of that machine" would be the hardware on the Linux box, the "OS that machine is running" would be the version of the distribution it's running and/or the version of the kernel it's running, and "the application that did the capturing" would be the rpcap daemon.

As per "to which the physical interface on which the capture was done is attached", this should probably be an Interface Description Block option.  We already have if_os for "the OS that machine is running"; we should probably add "if_hardware" - which, if that information is available, should perhaps report a combination of both the system hardware and the network adapter hardware, e.g.

	MacBook Pro, AirPort Extreme, Broadcom BCM43xx 1.0 (7.21.95.175.1a6)

or even

	MacBookPro11,5, AirPort Extreme, Broadcom BCM43xx 1.0 (7.21.95.175.1a6)

for my machine's Wi-Fi adapter - and "if_userappl".

These MUST (in the RFC sense) never be changed by any application processing the file; they must reflect the system to which the interface in question is attached.

Absent any objections, I'll add if_hardware, with a note that it should, ideally, contain information about both the system hardware and the network interface hardware, and if_userappl.