Re: RFC: DLT for "application TCP stream capture"

[Michael Richardson <mcr () sandelman ca>]

"Paul \"LeoNerd\" Evans" <leonerd () leonerd org uk> wrote:
    > I wonder though, whether the flags could be combined with the IP
    > version field, given as the version in the underlying (real) IP packet
    > anyway is only a 4-bit field.

    > 1 byte       | Flags and IP version:
    > bit7 [ VVVV...W ] bit0
    > VVVV     = IP version
    > W = write/!read

    > Does it seem sensible to merge those to save a byte of output? (and
    > also ensure nice alignment of the header to 32bit boundaries).

    > It does momentarily seem wasteful to repeat the source/destination
    > information in every single packet (especially in the case of IPv6 with
    > its 256bits of addressing information). Though I don't know if that
    > outweighs the statefulness and added complexity of representing "flow
    > setup" operations and "more bytes of data sent/received on this flow"
    > as extra frame types.

Eventually, we'll be using this format to debug multi-path TCP, in which case
the IP addresses (and maybe even the IP4/IP6-ness of it) might change.

And gzip'ed those addresses will compress quite easily.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [ 
        
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers