Re: proposed new pcap format

[Guy Harris <guy () alum mit edu>]

On Apr 5, 2004, at 10:39 PM, Ryan Mooney wrote:

> What about adding the concept of arbitrary meta-packets that can
> sit anywhere in the capture stream.  These could be used to encode
> comments, and other meta-data.

In Michael Richardson's proposal, a capture file is a sequence of 
records, each of which contains one or more type/length/value items.  A 
record need not contain a PCAP_DATACAPTURE item; if it doesn't contain 
one, it'd be meta-data without a packet, and if it does contain one, 
it's a packet, possibly with additional meta-data.

In Loris Degioanni and Fulvio Risso's proposal, a capture file is a 
sequence of records, each of which is a type/length/value item.  Some 
of the record types include a sequence of type/length/value options 
within them.

Both of those schemes support the concept of arbitrary meta-data that 
can appear anywhere in the capture stream, encoding comments and other 
meta data...

> This concept could also be used for other internal meta-data for
> example capture information like direction, interface info, etc...).
> There would have to be a way to tag future as part of a meta-data
> stream (to handle multiple interfaces, etc..).

...and handle multiple interfaces, as well as meta-data associated with 
packets and not associated with packets...

> This could be done in a way to preserve the ability to cat multiple
> files together

...and support the ability to concatenate multiple capture files with 
"cat".

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.