tcpdump mailing list archives
Re: Proposed new pcap format
From: "Fulvio Risso" <fulvio.risso () polito it>
Date: Wed, 14 Apr 2004 08:25:25 +0200
-----Original Message----- From: tcpdump-workers-owner () lists sandelman ca [mailto:tcpdump-workers-owner () lists sandelman ca]On Behalf Of Loris Degioanni Sent: martedì 13 aprile 2004 19.53 To: tcpdump-workers () tcpdump org Subject: Re: [tcpdump-workers] Proposed new pcap format Ronnie,----- Original Message ----- From: "Loris Degioanni" Sent: Monday, April 12, 2004 2:56 PM Subject: Re: [tcpdump-workers] Proposed new pcap formatI'd prefer a general flag field, which would include a direction indication (which might also include, for received packets, an indication of how it was received, e.g. unicast/multicast/broadcast/promiscuous/not specified), andcould alsoinclude some other information (length of FCS, with 0 meaning"absent",and possibly link-layer-type-dependent error flags such as "runtframe","bad CRC", etc.).The problem is: all this information is not granted to be present, soyouneed to define default values, which in most cases mean "0", or "not available", or "absent". At this point why not using options?If they are made mandatory they WILL always be present, or else it willnotbe a pcap compatible file.Some systems, e.g. WinPcap, don't provide information about the the direction. In addition, they never provide FCS, so its length would be always 0. They don't give indication about the link-layer-type-dependent errors (at least, they don't give a per packet indication). I think, indeed, that this is the behavior of most capture drivers. So, granting that all this information will always be present is not so easy...
I agree with Loris. I know that this flag would be extremely useful, but there are no guarantees that you're able to get this info from the NIC / NIC driver. Perhaps, what we should to is to use 2 bits for each flag, where the first one means "flag is valid", and the second one it is the flag value. E.g.: 1 0 0 0 . . . . . . ^^^ ^^^ ^^^ ^^^ "incoming" flag packet is "outcoming" flag No meaning is valid not "incoming" is NOT valid Cheers, fulvio - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Proposed new pcap format, (continued)
- Re: Proposed new pcap format Fulvio Risso (Apr 14)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 14)
- Re: Proposed new pcap format Jefferson Ogata (Apr 14)
- Re: Proposed new pcap format Fulvio Risso (Apr 14)
- Re: Proposed new pcap format Guy Harris (Apr 14)
- Re: Proposed new pcap format Fulvio Risso (Apr 13)
- Re: Proposed new pcap format Michael Richardson (Apr 16)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 11)
- Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Fulvio Risso (Apr 13)
- Re: Proposed new pcap format Hannes Gredler (Apr 14)
- Re: Proposed new pcap format Fulvio Risso (Apr 14)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 11)
- Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Fulvio Risso (Apr 13)
- Re: Proposed new pcap format Michael Richardson (Apr 16)