Re: Proposed new pcap format

[Michael Richardson <mcr () sandelman ottawa on ca>]

-----BEGIN PGP SIGNED MESSAGE-----


> > > > > "Darren" == Darren Reed <darrenr () reed wattle id au> writes:
    >> Oh, I forgot.
    >> 
    >> Another useful thing to have is an option for the packet block
    >> where one would store a reasonably collission-safe 8-byte hash of
    >> the packet data.
    >> 
    >> This would make it much easier to compare two different capture
    >> files to see where packets are missing etc.

    Darren> I'll agree that this, as part of the per-packet header,
    Darren> would be a useful addition to the pcap format.  No need for
    Darren> chained hashing, just per-record.

  a) how strong do we need to make this?
     8-byte implies it won't be CRC32. A longer CRC? MD4? MD5? SHA1?

  b) how much performance can we afford?
     (clearly, it could be left as 0 and filled in later on)

  c) do we include this in every packet header?  Or as an extra
     meta-attribute? 

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQHqtQIqHRg3pndX9AQEcigQA1IyZsAVoZPrF5L5I32GDhHDuBXwyNRLa
waK8bKlz4XmLt84J2rbmgg2J4Gz3pOKRH+KoENvdY2Zs+b01QAcMIMRPhjozGuGn
XgR4ilOHBrgCSwFCX0/Kx+jeSMC1xCBW3/Z7IPXdtMNnQoPF0yrizowhM/oJHbAR
/W4xXXko7Ig=
=myaW
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.