Re: proposed new pcap format

[Guy Harris <guy () alum mit edu>]

On Mar 24, 2004, at 1:58 PM, Darren Reed wrote:

> Do I feel some desire for bpf.c to change, as well ?

Yes.

I'd like to see BPF supply a set of flags with every packet.  Those 
could include a received/sent indication, and the broadcast and 
multicast flags (and perhaps also a "promiscuous" flag).

I'd also like to see an "FCS length" indication.  That'd do a better 
job of handling interfaces whose drivers arrange that received packets 
include the FCS - Ethereal currently uses a hack to try to guess 
whether a frame has an FCS or not (if the trailer is longer than it 
needs to be, it's assumed to be trailer+FCS), but it'd be nice to have 
it know for sure, and *if* there are any PPP implementations that 
support an FCS and supply the FCS to BPF, it'd help there as well (so 
the length indication wouldn't just be "FCS absent"/"FCS present", in 
case there are implementations that support both 2-byte and 4-byte 
FCS's).

It might also be useful to supply receive error indications - I think 
some drivers, when promiscuous mode is turned on, turn off some or all 
"discard bad packets" flags for the interface (e.g., the EEPRO100 
driver in FreeBSD appears to turn off the "discard short packets" flag 
in promiscuous mode).  Those flags might be link-layer-type-dependent.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe