tcpdump mailing list archives
pcap format / standard(s)
From: Jesse Norell <jesse () kci net>
Date: Wed, 16 May 2007 15:57:40 -0600
Hello, I hope this is an appropriate question for this group. I'm with a group (WISPA) working on developing a standard for delivery of data to meet the CALEA law requirements. We'd like to use pcap as the format for likely obvious reasons, though as I'm looking into the specifics I run into differences in formats outlined at http://www.tcpdump.org/pcap/pcap.html vs. http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html the latter being an update of the former. Am I correct in assuming that the first describes what is actually in use today/still, and the other was more of an update of where things would head (likely to ultimately be a standard)? Has any further work been done on format/etc. since then (2004)? Perhaps we can word our standard such that it allows using the current pcap format or any later format as agreed by both parties (law enforcement and the entity performing the wiretap). If/when a newer version of pcap would come out, do you anticipate libpcap will support backwards compatibility? Both of the above documents list major version 1, minor version 0; what is put in pcap files today, also 1 and 0, or will there be a way to tell older files from newer ones? Any other comments/etc. are quite welcome. Thanks, Jesse -- Jesse Norell - jesse () kci net Kentec Communications, Inc. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- pcap format / standard(s) Jesse Norell (May 16)
- Re: pcap format / standard(s) Guy Harris (May 16)