Re: Proposed new pcap format

[Guy Harris <guy () alum mit edu>]

On Apr 13, 2004, at 6:58 AM, Darren Reed wrote:

> What I'd like to see hashed, by the kernel, is the data it provides
> to the user application.  Depending on the purpose, this has better
> trustworthiness, I feel. libpcap may decide to throw away that hash
> and include its own in the dump file.
>
> I'm not suggesting this just for a quick comparison point of view
> (as are some others) but from a data reliability perspective.  If
> you have a multithreaded application interacting with libpcap, it
> would be nice if the pcap data that you considered sensiive could
> be hashed by the provider (the kernel), as is the case with other
> data streams in life.

I.e., there are two features being considered here:

	1) a mechanism by which the kernel can provide a hash of the packet to 
ensure some level of trust in the packet data;

	2) a mechanism by which packets in a libpcap-TNG file can have hashes 
associated with them for various purposes;

and the hash from 1) would be one hash that *could* be attached to a 
packet, but there's no requirement that a packet have a hash associated 
with it or that, if it does, it's the hash from the kernel.

So I'd see those as separate items for discussion.  The mechanism in 2) 
needs to be sufficient to handle the hashes from 1) as well as other 
hashes people might want to provide, but that mechanism itself is 
somewhat decoupled from the hashing in 1).

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.