Wireshark mailing list archives
Re: What is the history and status of PCAP Next Generation?
From: Tyson Key <tyson.key () gmail com>
Date: Wed, 9 Oct 2013 19:23:25 +0100
Apologies for the thread hijacking... For what it's worth, I've just had a play with the latest build of CommView (6.5, build 734), and it seems to have basic support for writing PCAP-NG files. (Emits no packet comments, and doesn't use any nifty features like storing application/machine info). Since I haven't got a tool for reverse-engineering PCAP-NG traces handy (other than looking at strings in a text editor), I'm assuming that they're generating very bare-bones IDBs, and using (Simple?) Packet Blocks for storing the packet data. I don't know if it'll preserve unrecognised block/field types, or comments, either.
From testing with some of the traces that I've attached to bug reports
related to CommView .NCF support in Wireshark, it seems that I can export Ethernet packets with full fidelity; although exporting 802.11 captures is a lossy process (the RSSI, band/frequency, and bandwidth/link speed field values are lost). In fact, it seems that even though the .NCF format supports multiple link layer types (and converting 802.11-only captures works fine), attempting to export a sample file containing 802.11, Ethernet, and Token Ring packets to PCAP-NG results in a useless file with all of the packets assigned to a single interface with an Ethernet link type. So I guess that it's a good start from the TamoSoft folks - but they've got a little more work to do, before they can call their product fully-interoperable with PCAP-NG. I still don't know if any of MS's offerings support writing files in this format, though. Tyson. 2013/10/9 Jasper Bongertz <jasper.sharklists () packet-foo com>
Sorry to answer this late; I saw this email a week ago but didn't manage to reply - the todo got swapped out but never swapped in again. Graham gave me a heads up (that I didn't see until now, either, *sigh*), so here I go.Q2: What is the status of pcap-ng? * "it works fine, everyone's using it, it just isn't an RFC" or * "it's an abandoned effort, plain pcap is good enough" or * "all development has moved to X, take a look at X""It works fine, some software's using it, and there's no RFC for pcap format, either, although there probably should be informative RFCs for both of them at some point."At Sharkfest 2013 we (me, plus the Wireshark devs that were "in range") had a impromptu meeting regarding the status of the PCAP-ng specifications. I offered to see if we can go in the direction of an RFC, but got a bit sidetracked. I had checked how the procedures work in July/August, but at the time the RFC submission process was closed for new submissions. It should be open again by now, so I'll try to go forward asap. Oh, and regarding the status of PCAP-ng I'd say it is more like "a couple of tools are using it, but most are still stuck on pcap for whatever reason." Cheers, Jasper ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
-- Fight Internet Censorship! http://www.eff.org http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: What is the history and status of PCAP Next Generation? Jasper Bongertz (Oct 09)
- Re: What is the history and status of PCAP Next Generation? Tyson Key (Oct 09)