Re: What is the history and status of PCAP Next Generation?

[Guy Harris <guy () alum mit edu>]

On Sep 30, 2013, at 1:57 AM, Matthias <wireshark () matthias fastmail fm> wrote:

>  Q1: Is the version of the pcap-ng spec I found the latest one?
>
>       https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Currently, yes.

>  Q2: What is the status of pcap-ng?
>
>      * "it works fine, everyone's using it, it just isn't an RFC"
>   or * "it's an abandoned effort, plain pcap is good enough"
>   or * "all development has moved to X, take a look at X"

"It works fine, some software's using it, and there's no RFC for pcap format, either, although there probably should be 
informative RFCs for both of them at some point."

> As far as I can tell, some tools, e.g. 'tcpdump' never moved to pcap-ng.

tcpdump reads whatever libpcap supports, and the standard version of libpcap currently supports pcap and, to the extent 
that its current APIs support it, pcap-ng.

OS X's tcpdump, as of Mountain Lion, can also *write* pcap-ng files (it uses comments to store whatever process 
information gets attached to outgoing packets), although it's not the default.

Tamosoft's Commview and Microsoft's Message Analyzer can both read pcap-ng files (in addition to pcap files).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe