tcpdump mailing list archives

Re: proposed new pcap format

From: Ryan Mooney <ryan () pcslink com>
Date: Mon, 5 Apr 2004 19:39:12 -1000


There are probably good reasons why what I'm suggesting here is,
as stated, a bad idea; but since the packet storage format is up
for discussion I thought I'd throw this out to see if it peaks
anyones interest.

What about adding the concept of arbitrary meta-packets that can
sit anywhere in the capture stream.  These could be used to encode
comments, and other meta-data.  

This concept could also be used for other internal meta-data for 
example capture information like direction, interface info, etc...).
There would have to be a way to tag future as part of a meta-data
stream (to handle multiple interfaces, etc..).  

This could be done in a way to preserve the ability to cat multiple 
files together based on some sort of timestamp/crypto hash as the
tag ID, but that requires a bit more thought :>

Just a random thought..

On Sun, Apr 04, 2004 at 01:42:48AM -0800, Richard Sharpe wrote:

On Fri, 2 Apr 2004, Guy Harris wrote:

On Mar 25, 2004, at 9:31 AM, Richard Sharpe wrote:

One of the items I would like support for in a new format is comments.
That is, the ability to add textual comments to frames. These comments
would be ignored by tools that do not understand them, but they would 
be
displayed by tools capable of understanding them.


Would all comments necessarily be associated with frames?

One counter-example would be a comment associated with the capture as a 
whole (I think the old DOS Sniffer format supported that).


Hmmm, that is a good point ...

Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

--

-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-<

Ryan Mooney                                      ryan () pcslink com 
<-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> 
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Re: proposed new pcap format Hannes Gredler (Apr 02)
- <Possible follow-ups>
- Re: proposed new pcap format Christian Kreibich (Apr 02)
  - Re: proposed new pcap format Darren Reed (Apr 02)
    - Re: proposed new pcap format Michael Richardson (Apr 02)
  - Re: proposed new pcap format Michael Richardson (Apr 12)
- Re: proposed new pcap format Guy Harris (Apr 02)
- Re: proposed new pcap format Richard Sharpe (Apr 04)
  - Re: proposed new pcap format Ryan Mooney (Apr 05)
    - Re: proposed new pcap format Guy Harris (Apr 06)
- Re: Proposed new pcap format Michael Richardson (Apr 05)
  - Re: Proposed new pcap format Loris Degioanni (Apr 06)
    - Re: Proposed new pcap format Richard Sharpe (Apr 07)
    - Re: Proposed new pcap format Michael Richardson (Apr 12)
    - Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 09)
  - Re: Proposed new pcap format Darren Reed (Apr 09)
    - Re: Proposed new pcap format Guy Harris (Apr 10)
    - Re: Proposed new pcap format Darren Reed (Apr 10)

(Thread continues...)