tcpdump mailing list archives
Re: proposed new pcap format
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Mon, 12 Apr 2004 10:46:37 -0400
-----BEGIN PGP SIGNED MESSAGE-----
"Christian" == Christian Kreibich <christian () whoop org> writes:
>> That's a nice feature, and one we should try to maintain if >> possible. Christian> There's another thing I'd like to point out: the new Christian> scheme, in its current state, doesn't provide the snaplen Christian> value that the old pcap_file_header provides. I think a Christian> *lot* of applications use that value to allocate a buffer Christian> to store packet data before starting to read packets. At most, it could be a hint of a likely size, if we support any method of concatenating files. We could perhaps have a "ranlib"-like tool that walked a pcap file to optomize the hint at the beginning. Christian> I agree that the ability to cat together trace files Christian> would be nice. However if that's the only benefit, while Christian> otherwise every packet-iterating application becomes a Christian> whole lot more complicated because it must find a way to Christian> deal with pure metadata without any packet data at random Having every part of the file being identical in structure has a lot of benefits in my opinion. There are numerous times when I wanted to do stuff like: ( tcpdump -r file1 -w - filespec1; tcpdump -r file1 -w - filespec2 ) | analysis-program Often this occurs for me in writing test cases, but also in trying to understand what has broken in a network. - -- ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQHqry4qHRg3pndX9AQFIdwP9HZYJr2FGc4KICi1GH5C0WbzomWsfdVx1 xMeRM8mWuCXsqKexR+Dx99Ldc1MBFUbznErtSHtBfSUJcXrv2eefawrMNo0jxHJ2 KQj/+JHGgaKN6x/en+K3HpatDk/9iMuHO5NXqO0CzHUIAow2eY+IaKMAl91ry4/9 RhyE9Fj4nVQ= =AMsR -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: proposed new pcap format Hannes Gredler (Apr 02)
- <Possible follow-ups>
- Re: proposed new pcap format Christian Kreibich (Apr 02)
- Re: proposed new pcap format Darren Reed (Apr 02)
- Re: proposed new pcap format Michael Richardson (Apr 02)
- Re: proposed new pcap format Michael Richardson (Apr 12)
- Re: proposed new pcap format Darren Reed (Apr 02)
- Re: proposed new pcap format Guy Harris (Apr 02)
- Re: proposed new pcap format Richard Sharpe (Apr 04)
- Re: proposed new pcap format Ryan Mooney (Apr 05)
- Re: proposed new pcap format Guy Harris (Apr 06)
- Re: proposed new pcap format Ryan Mooney (Apr 05)
- Re: Proposed new pcap format Michael Richardson (Apr 05)
- Re: Proposed new pcap format Loris Degioanni (Apr 06)
- Re: Proposed new pcap format Richard Sharpe (Apr 07)
- Re: Proposed new pcap format Michael Richardson (Apr 12)
- Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Loris Degioanni (Apr 06)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 09)