tcpdump mailing list archives

Re: proposed new pcap format

From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 23 Mar 2004 22:31:34 -0500

Michael Richardson wrote:

This is what I would propose as revision.
Note that the pcap1_packet_header is present on every packet. One can
merge pcap files together with "cat" if one likes.


That's a nice feature, and one we should try to maintain if possible.

A suggestion was made to accomodate the nano-second resolution from AIX.
Can you tell me what they do for that? just more bits, sure, but is
there a nano-seconds (32-bits, I guess) + seconds (64 bits?).

enum pcap1_info_types {
        PCAP_DATACAPTURE,
        PCAP_TIMESTAMP,
};

struct pcap1_info_container {
        bpf_u_int32 info_len;         /* in bytes */
        bpf_u_int32 info_type;        /* enum pcap1_info_types */


That could be two int16s, couldn't it?

        unsigned char info_data[0];
};

struct pcap1_info_timestamp {
        struct pcap1_info_container pic;
        bpf_int32      thiszone;        /* gmt to local correction */

I feel strongly that all pcap timestamps should be UTC. Think of it likeUNIX file metadata; timestamps in inodes are UTC. Your local zone is aninterpretion applied to those timestamps.

If this is meant to handle the "wall time" notion proposed a fewmessages back, I think that is just metadata and should go in a metadatapacket. Maybe there should be some standard metadata types.

In addition, represented as metadata, I think zone information should bean Olsen zone name. There should be another metadata type for time erroroffset. Thus if you have a capture from a system with an unsynchronizedclock, you could retrospectively insert a metadata packet at thebeginning indicating the system's time error offset. Then programs thatread it can adjust timestamps on the fly.


Also, it would redundant to put zone info in each timestamp.

>    struct timeval ts;      /* time stamp */
>    bpf_u_int32 sigfigs;    /* accuracy of timestamps */
> }; 

Significant figures in what base? I wouldn't go there.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

proposed new pcap format Michael Richardson (Mar 23)
- Re: proposed new pcap format Guy Harris (Mar 23)
  - Re: proposed new pcap format Hannes Gredler (Mar 24)
    - Re: proposed new pcap format Michael Richardson (Mar 24)
    - Re: proposed new pcap format Guy Harris (Mar 24)
    - Re: proposed new pcap format Darren Reed (Mar 24)
    - Re: proposed new pcap format Guy Harris (Mar 24)
    - Re: proposed new pcap format Hannes Gredler (Mar 24)
  - Re: proposed new pcap format Michael Richardson (Mar 24)
- Re: proposed new pcap format Jefferson Ogata (Mar 23)
  - Re: proposed new pcap format Michael Richardson (Mar 24)
    - Re: proposed new pcap format Darren Reed (Mar 24)
    - Re: proposed new pcap format Michael Richardson (Mar 25)
- Re: proposed new pcap format Darren Reed (Mar 24)
  - Re: proposed new pcap format Michael Richardson (Mar 24)
    - Re: proposed new pcap format Darren Reed (Mar 24)
    - Re: proposed new pcap format Guy Harris (Mar 24)
    - Re: proposed new pcap format Darren Reed (Mar 24)
    - Re: proposed new pcap format Michael Richardson (Mar 24)
    - Re: proposed new pcap format Darren Reed (Mar 25)

(Thread continues...)