tcpdump mailing list archives
Re: Proposed new pcap format
From: "Fulvio Risso" <fulvio.risso () polito it>
Date: Wed, 14 Apr 2004 08:14:03 +0200
-----Original Message----- From: tcpdump-workers-owner () lists sandelman ca [mailto:tcpdump-workers-owner () lists sandelman ca]On Behalf Of Loris Degioanni Sent: martedì 13 aprile 2004 20.18 To: tcpdump-workers () tcpdump org Subject: Re: [tcpdump-workers] Proposed new pcap format Hi,----- Original Message ----- From: "Loris Degioanni" Sent: Monday, April 12, 2004 2:55 PM Subject: Re: [tcpdump-workers] Proposed new pcap formatEssentially, what you propose is that the SHB CONTAINS asection ratherthanMARKING its beginning. The SHB, in fact, as any other block,includes aBlock Total Length field, which could be used to specify the length ofdatathat follows the header. However, this field is 32 bit only. Do you think it's too short, considering that we could put another SHB after 4 GB?32 bits is too short. (some) People are already today using 2GB capture files with all the pains that brings with pcap and pcap-supposed-to-be-compliant implementations that treat file-length/offset as signed integer.So, the solutions are: a. to use a field of the SHB instead than its length, to specify the length of a section. This field can be 64 bit. b. to use the length of the SHB, modifying the block header to contain a 64 bit "Block Total Length" rather than a 32 bit one. This solution has the disadvantage of making the capture files longer and more complex to parse, but allows easy backward file navigation (the Block Total Length is replicated at the end of the block exactly for this purpose), which can be a useful feature. c. to use the length of the SHB, maintaning the 32 bit "Block Total Length". This solution allows backward navigation, but requires to create a new SHB every 4 gigabites. What do you vote?
Personally I don't like to transform the Section Header Block from a MARKER
to a CONTAINER.
I don't like to rewind the file in case of large capture in order to update
such a value.
And what about if the application crashes before updating that value? The
format of the file is wrong, because the section length is set to a wrong
value.
Personally, I would like to keep the SHB a marker, and add and option that
says "the size of this section is XXX", where XXX is a 64 bit number.
fulvio
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Proposed new pcap format, (continued)
- Re: Proposed new pcap format Michael Richardson (Apr 16)
- Re: Proposed new pcap format Loris Degioanni (Apr 11)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 11)
- Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Fulvio Risso (Apr 13)
- Re: Proposed new pcap format Hannes Gredler (Apr 14)
- Re: Proposed new pcap format Fulvio Risso (Apr 14)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 11)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 11)
- Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Fulvio Risso (Apr 13)
- Re: Proposed new pcap format Michael Richardson (Apr 16)
- Re: Proposed new pcap format Guy Harris (Apr 21)
- Re: Proposed new pcap format Darren Reed (Apr 22)
- Re: Proposed new pcap format Jefferson Ogata (Apr 22)
- Re: Proposed new pcap format Darren Reed (Apr 22)