Re: proposed new pcap format

[Michael Richardson <mcr () sandelman ottawa on ca>]

-----BEGIN PGP SIGNED MESSAGE-----


> > > > > "Guy" == Guy Harris <guy () alum mit edu> writes:
    >> This is what I would propose as revision.
    >> Note that the pcap1_packet_header is present on every packet. One can
    >> merge pcap files together with "cat" if one likes.

    Guy> OK - that's a bit much to write for every packet, though, as
    Guy> most of it is redundant.

  I don't think it is really that much. less than 20 bytes. very
compressable too.

    Guy> Does each record have a pcap1_packet_header and *one*
    Guy> pcap1_info_container, or one or more up to block_len bytes?  If
    Guy> the latter, you could have more than one packet per
    Guy> pcap1_packet header. 

  You could have more than one packet per header, true. Is that a good 
thing? I'm not sure. that wasn't what I was thinking though.

  You could also have zero packets per header - for instance, just have
meta data containing the expression used.
  
    >> A suggestion was made to accomodate the nano-second resolution from AIX.
    >> Can you tell me what they do for that? just more bits, sure, but is
    >> there a nano-seconds (32-bits, I guess) + seconds (64 bits?).

    Guy> 32-bit seconds, 32-bit nanoseconds.

  I like to have more than 32-bit seconds. I like the nanoseconds.

    >> enum pcap1_info_types {
    >> PCAP_DATACAPTURE,
    >> PCAP_TIMESTAMP,
    >> };

    Guy> ...with that list presumably being expandable over time.

  yes.

    >> bpf_int32      thiszone; /* gmt to local correction */

    Guy> We currently have that but don't use it - it's always zero.
    Guy> Should we start using it?

  I guess I'm ignorant of the fact that we aren't using it!

    >> struct timeval ts;       /* time stamp */
    >> bpf_u_int32 sigfigs;     /* accuracy of timestamps */

    Guy> Similarly, that's never been set - should we start using it?

  I think so. Certainly in the version 1.0 format.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQGGhe4qHRg3pndX9AQGVFwQAl1JyORQMoe533GFzJ8BE8s6u2uPRTGdi
k1r+r/cgglCP0rMM6hFjdrEFnzq53uDcXQM3Wt3hqNYFZoaJnAIJt8cunI4fv1mY
cM+rIOsk8ln14TnnJl2kFEReWvfdC/EDn1egJ90rXJaAXuJTup3j89Qpkez6DJcZ
9GSj3Cmb4pM=
=SOP6
-----END PGP SIGNATURE-----
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe