tcpdump mailing list archives

Re: New official link-layer type request

From: Guy Harris <gharris () sonic net>
Date: Sat, 18 May 2019 16:31:13 -0700

On May 18, 2019, at 3:54 PM, Michael Richardson <mcr () sandelman ca> wrote:

Guy Harris <gharris () sonic net> wrote:

If we *do* use pcapng, that would mean that:

1) Wireshark wouldn't be able to read the lawful intercept information
in the files until support for new block types and options are added to
it;


Is wireshark modular in how it handles pcapng blocks?


Somewhat, although it could probably use more work.

2) tcpdump wouldn't be able to read the lawful intercept information in
the files until we add full pcapng support (with new APIs) to libpcap,
including support for the new block types and options, and add support
for the new APIs, and for the new block types and options, to tcpdump;


I hope to solve this in 2019/2020.


Definitely.  The sooner, the better; that would allow capturing on Linux, for example, to supply direction information 
for *all* link-layer header types (or, at least, for all link-layer header types provided by regular Linux interfaces), 
as well as providing IDBs for all interfaces when capturing on the "any" device, so that you could see what interface 
each packet came in on, even if you're reading the file on a machine other than the one on which the capture was done.

To be fair, those programs would *also* have to be modified to handle
LINKTYPE_ELEE - and programs that can read pcapng would at least be
able to read the intercepted packets without change, assuming they just
ignore unknown block and option types (which they should do!).


:-)
My thought is that the regular packets would be in regular blocks, and the
extra info would be in the extended blocks.  So without extensions, one can
read the packets and do stuff with them, but not know, for instanse, which
link they came from, or maybe (I have no idea if this is real meta-info)
which warant was used to obtain the data.


Exactly.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Re: New official link-layer type request, (continued)
- - - Message not available
    - Re: New official link-layer type request Damir Franusic (May 12)
    - Re: New official link-layer type request Michael Richardson (May 18)
    - Re: New official link-layer type request Damir Franusic (May 18)
    - Re: New official link-layer type request Guy Harris (May 18)
    - Re: New official link-layer type request Damir Franusic (May 18)
    - Re: New official link-layer type request Guy Harris (May 18)
    - Re: New official link-layer type request Damir Franusic (May 18)
    - Re: New official link-layer type request Guy Harris (May 18)
    - Re: New official link-layer type request Damir Franusic (May 19)
    - Message not available
    - Re: New official link-layer type request Guy Harris (May 18)
    - Message not available
    - Re: New official link-layer type request Guy Harris (May 18)
    - Re: New official link-layer type request Damir Franusic (May 18)
    - Re: New official link-layer type request Damir Franusic (May 18)
    - Re: New official link-layer type request Guy Harris (May 18)
- Re: New official link-layer type request Guy Harris (May 11)
- Message not available
  - Re: New official link-layer type request Damir Franusic (May 12)
- Message not available
  - Re: New official link-layer type request Damir Franusic (May 12)