Re: New magic number

[Guy Harris <guy () alum mit edu>]

Francisco Mesquita wrote:

> I understand that, I will send you the necessary changes to the file
> savefile.c as soon as I have the magic number (at least to have reading
> compatibility).


OK, I've assigned you 0xa1b234cd.

> When do you expect the new format will be available?


I don't think we have a date yet.  I think we'd like to finish up the
specification soon; it'll take longer to implement APIs to use all the
capabilities, although we could probably add the ability to read those
files - or, at least, files in that format that don't have captures from
more than one network interface - sooner than that, with the existing
APIs (which won't show all the data available in the file).

> If I can help, let me know.


The current specification for the new format can be found at

    http://www.tcpdump.org/pcap/pcap.html

or

    http://www.tcpdump.org/pcap/pcap.txt

Send any suggestions you have to the list.

> I will explain to you the reasons I need the fields I have put in the
> header:
> The purpose of the game is to have traffic statistics calculated from
> the packet dumps so,
> 1. The stats are needed to check the validity of the statistics; if 50%
> of the packets are dropped, the calculated traffic is bound to be wrong.


The new format has a packet-drop count in the per-packet header (so
that, if that count is available, you not only know how many packets
were dropped but *where* they were dropped; there's a special value for
"not available" - currently, I don't think any system other than Solaris
would supply that, but it might at least get added to the BSDs, Linux,
and WinPcap over time), as well as an Interface Statistics Block, which
can appear anywhere in the file (although it will probably appear at the
end of a capture - note that capture files in the new format can be
concatenated, so that it might contain multiple captures), giving
various statistics as well as capture start and end times.

> 2. The IP and netmask are used to find the network scope.


Those are also available, in an Interface Description Block; those
appear at the beginning of a capture, one block per interface (and could
conceivably appear in the middle, if, for example, a new interface is
plugged in and we're capturing on the Linux "any" fake device).

> 3. The start and end time to calculate averages. This is actually a
> little tricky because I am rotating the files at fixed time intervals,
> for example, at 0:00, 0:05, 0:10..., all the files having exactly 5
> minutes of data.


Those are also in the Interface Statistics Block.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.