Re: pcap files with file header snaplen < packet

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

----- Original Message ----- 
From: "Harley Stenzel" <hstenzel () users sourceforge net>
To: <tcpdump-workers () lists tcpdump org>
Sent: Monday, December 04, 2006 1:30 PM
Subject: Re: [tcpdump-workers] pcap files with file header snaplen < packet


> On 12/4/06, Gerald Combs <gerald () wireshark org> wrote:
> > Harley Stenzel wrote:
> > > Looking forward, however, it would be helpful if the libpcap file
> > > format provided a way to tag the source of the captured packet, so
> > > that merged files do not loose information.
> >
> > NTAR supports this:
> >
> >   http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionpb
>
> It certainly does, but it expired more than 2 years ago.  Is it still 
> active?

Although the draft expired 2 yrs ago, and I released some update to the NTAR 
code back in february, the project is still alive. The new file format has 
not been integrated into wireshark or libpcap/tcpdump yet (on my side mainly 
because of lack of time), but the ntar library has been used quite a lot in 
some avionics products

http://www.gefanucembedded.com/products/1044
http://www.gefanucembedded.com/products/1069

(in fact, if you look at appendix B, 
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#appendixBlockCodes, 
there are some references to some new blocks).

Personally I plan to work a bit on it in the christmas holidays and release 
a new version of ntar that includes some tools to convert to/from the pcap 
format.

I don't know if this answers to your question.

Have a nice day
GV




> --Harley
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe. 

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.