tcpdump mailing list archives

Re: proposed new pcap format

From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Mon, 12 Apr 2004 10:46:37 -0400

-----BEGIN PGP SIGNED MESSAGE-----

"Christian" == Christian Kreibich <christian () whoop org> writes:

    >> That's a nice feature, and one we should try to maintain if
    >> possible.

    Christian> There's another thing I'd like to point out: the new
    Christian> scheme, in its current state, doesn't provide the snaplen
    Christian> value that the old pcap_file_header provides. I think a
    Christian> *lot* of applications use that value to allocate a buffer
    Christian> to store packet data before starting to read packets.

  At most, it could be a hint of a likely size, if we support any method
of concatenating files. 

  We could perhaps have a "ranlib"-like tool that walked a pcap file to
optomize the hint at the beginning. 

    Christian> I agree that the ability to cat together trace files
    Christian> would be nice.  However if that's the only benefit, while
    Christian> otherwise every packet-iterating application becomes a
    Christian> whole lot more complicated because it must find a way to
    Christian> deal with pure metadata without any packet data at random

  Having every part of the file being identical in structure has a lot 
of benefits in my opinion. 
  There are numerous times when I wanted to do stuff like:

      ( tcpdump -r file1 -w - filespec1;
        tcpdump -r file1 -w - filespec2 ) | analysis-program

  Often this occurs for me in writing test cases, but also in trying to
understand what has broken in a network.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQHqry4qHRg3pndX9AQFIdwP9HZYJr2FGc4KICi1GH5C0WbzomWsfdVx1
xMeRM8mWuCXsqKexR+Dx99Ldc1MBFUbznErtSHtBfSUJcXrv2eefawrMNo0jxHJ2
KQj/+JHGgaKN6x/en+K3HpatDk/9iMuHO5NXqO0CzHUIAow2eY+IaKMAl91ry4/9
RhyE9Fj4nVQ=
=AMsR
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Re: proposed new pcap format Hannes Gredler (Apr 02)
- <Possible follow-ups>
- Re: proposed new pcap format Christian Kreibich (Apr 02)
  - Re: proposed new pcap format Darren Reed (Apr 02)
    - Re: proposed new pcap format Michael Richardson (Apr 02)
  - Re: proposed new pcap format Michael Richardson (Apr 12)
- Re: proposed new pcap format Guy Harris (Apr 02)
- Re: proposed new pcap format Richard Sharpe (Apr 04)
  - Re: proposed new pcap format Ryan Mooney (Apr 05)
    - Re: proposed new pcap format Guy Harris (Apr 06)
- Re: Proposed new pcap format Michael Richardson (Apr 05)
  - Re: Proposed new pcap format Loris Degioanni (Apr 06)
    - Re: Proposed new pcap format Richard Sharpe (Apr 07)
    - Re: Proposed new pcap format Michael Richardson (Apr 12)
    - Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 09)

(Thread continues...)