tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

pcap format / standard(s)

From: Jesse Norell <jesse () kci net>
Date: Wed, 16 May 2007 15:57:40 -0600
Hello,

  I hope this is an appropriate question for this group.  I'm with a
group (WISPA) working on developing a standard for delivery of data to
meet the CALEA law requirements.  We'd like to use pcap as the format
for likely obvious reasons, though as I'm looking into the specifics I
run into differences in formats outlined at

http://www.tcpdump.org/pcap/pcap.html

    vs.

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

the latter being an update of the former.  Am I correct in assuming that
the first describes what is actually in use today/still, and the other
was more of an update of where things would head (likely to ultimately
be a standard)?

  Has any further work been done on format/etc. since then (2004)?

  Perhaps we can word our standard such that it allows using the current
pcap format or any later format as agreed by both parties (law
enforcement and the entity performing the wiretap).  If/when a newer
version of pcap would come out, do you anticipate libpcap will support
backwards compatibility?

  Both of the above documents list major version 1, minor version 0;
what is put in pcap files today, also 1 and 0, or will there be a way to
tell older files from newer ones?

  Any other comments/etc. are quite welcome.

Thanks,
Jesse


-- 
Jesse Norell - jesse () kci net
Kentec Communications, Inc.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: