Re: Proposed new pcap format

[Michael Richardson <mcr () sandelman ottawa on ca>]

-----BEGIN PGP SIGNED MESSAGE-----


> > > > > "Fulvio" == Fulvio Risso <fulvio.risso () polito it> writes:
    Fulvio> Personally I don't like to transform the Section Header
    Fulvio> Block from a MARKER to a CONTAINER.  I don't like to rewind
    Fulvio> the file in case of large capture in order to update such a
    Fulvio> value.  And what about if the application crashes before
    Fulvio> updating that value? The format of the file is wrong,
    Fulvio> because the section length is set to a wrong value.

  I agree.

    Fulvio> Personally, I would like to keep the SHB a marker, and add
    Fulvio> and option that says "the size of this section is XXX",
    Fulvio> where XXX is a 64 bit number.

  Yes, with 0 meaning "guess"

  We have a program, "pcapopt" or some such can go through and add
appropriate data later on. Maybe it can do after-the-fact hashing as well.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQH/siYqHRg3pndX9AQGW8QQAvIN7172P1L38gEX+2BjHBklrA53z4Jyb
ANWpit9uzIEZFwZI52L2rBDNWALpOreh08vkb/bZEQn7dAvLKPg3PxdLzcV9qwhs
2PayqGWeucCAo8gyYbEMMFVz/FYwyzsy3ZrLjLYTm2pCopVB/Is8g9hLqOc1dMeA
nD0mge88O0Y=
=f7Qy
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.