Re: Proposed new pcap format

["Ronnie Sahlberg" <ronnie_sahlberg () ozemail com au>]

----- Original Message ----- 
From: "Michael Richardson"
Sent: Tuesday, April 13, 2004 12:52 AM
Subject: Re: [tcpdump-workers] Proposed new pcap format


> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> > > > > > "Darren" == Darren Reed <darrenr () reed wattle id au> writes:
>     >> Oh, I forgot.
>     >>
>     >> Another useful thing to have is an option for the packet block
>     >> where one would store a reasonably collission-safe 8-byte hash of
>     >> the packet data.
>     >>
>     >> This would make it much easier to compare two different capture
>     >> files to see where packets are missing etc.
>
>     Darren> I'll agree that this, as part of the per-packet header,
>     Darren> would be a useful addition to the pcap format.  No need for
>     Darren> chained hashing, just per-record.
>
>   a) how strong do we need to make this?
>      8-byte implies it won't be CRC32. A longer CRC? MD4? MD5? SHA1?
>
>   b) how much performance can we afford?
>      (clearly, it could be left as 0 and filled in later on)
>
>   c) do we include this in every packet header?  Or as an extra
>      meta-attribute?

I originally proposed 8 bytes NOT to allow for cryptographically strong
hashes but to
reduce the probability for collissions in huge captures, birthday paradox
and all.

As far as my needs are concerned, others needs may differ, I would be
satisfied if it was just
reasonably collission-unlikely even for very large captures.
If the hash is cryptographically strong or not is irrelevant to me.


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.