tcpdump mailing list archives
Re: Proposed new pcap format
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 13 Apr 2004 19:09:52 -0400
Darren Reed wrote:
On the contrary, it's a trivial matter, really, to add more. Is there a "default" hashing method for SSL ? Or IPSec ? Or S/MIME ? No. In each case the specification defines support for a number of different hashes, of varying strengths and the choice is left to the end user to decide on what they wish to use. I don't see why libpcap should be any different.
Something keeps bugging me, and I just want to throw it out there for the mad dogs to tear into little bloody pieces:
Given all the desirable options people are looking for in this, and the need for future growth, I think we should seriously consider an XML-based format. Besides making it easy, format-wise, to include many optional features and types of metadata, programs could also embed decoded frame and protocol information in appropriate elements, right within the capture file.
<capture ...> <!-- a decoded frame --> <frame timestamp='1081896827.110627' length='142' snaplen='70'><ethernet src='00:03:47:01:02:03' dst='00:03:47:04:05:06' type='0x0800'>
0003470102030003470405060800
</ethernet>
<ip vers='4' hlen='20' ... flags='0x04' ... proto='17'>
45000080...
<udp sport='781' dport='2049' cksum='0xae49'>
030d0801...
<nfs op='READ' fh='0130493022...' offset='16384'>
...
</nfs>
</udp>
</ip>
</frame>
<!-- an undecoded frame -->
<frame timestamp='1081896827.113144' length='80' snaplen='70'>
000347010203000347040506080045000080...
</frame>
...
</capture>
Yes, fully fledged decoded captures would use a lot of extra disk, but a
raw no-frills capture could be recorded with maybe only 50% or so overhead.
Processors using xslt or custom code could pull out just what they're interested in using XPath expressions. Decoders for specific application protocols could be written as filters to produce decoded elements in the output XML.
And so on... mull it over for a minute before you start shredding. -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Proposed new pcap format, (continued)
- Re: Proposed new pcap format Darren Reed (Apr 12)
- Re: Proposed new pcap format Michael Richardson (Apr 12)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 13)
- Re: Proposed new pcap format Darren Reed (Apr 13)
- Re: Proposed new pcap format Guy Harris (Apr 13)
- Re: Proposed new pcap format Michael Richardson (Apr 16)
- Re: Proposed new pcap format Darren Reed (Apr 12)
- Re: Proposed new pcap format Loris Degioanni (Apr 13)
- Re: Proposed new pcap format Darren Reed (Apr 13)
- Re: Proposed new pcap format Guy Harris (Apr 13)
- Re: Proposed new pcap format Jefferson Ogata (Apr 13)
- Re: Proposed new pcap format Jefferson Ogata (Apr 13)
- Re: Proposed new pcap format Stephen Donnelly (Apr 13)
- Re: Proposed new pcap format Fulvio Risso (Apr 14)
- Re: Proposed new pcap format Jefferson Ogata (Apr 14)
- Re: Proposed new pcap format Stephen Donnelly (Apr 14)
- Re: Proposed new pcap format Jefferson Ogata (Apr 14)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 14)
- Re: Proposed new pcap format Jefferson Ogata (Apr 14)
- Re: Proposed new pcap format Ronnie Sahlberg (Apr 14)
- Re: Proposed new pcap format Fulvio Risso (Apr 14)
- Re: Proposed new pcap format Stephen Donnelly (Apr 14)