Re: MIME type for libpcap (tcpdump -w)

[Glen Turner <gdt () gdt id au>]

Michael Richardson wrote:
> So, I say, go for it.

Hi folks,

There is a MIME type registration form at
    <http://www.iana.org/cgi-bin/mediatypes.pl>

Below are my intended responses. Comments are welcome, see especially the
interoperability and security questions.

Cheers, Glen


Your Name:
[Glen Turner]

Your Email Address:
[gdt@___.__.__]


1. Media Type Name:
    See RFC 2046 section 3, and RFC 2077.
[application]


2. Subtype name (See Existing subtype names)
    See also RFC 2046, and RFC 4288, sections 3 and 4.2.
    Note: Registrations in the standards tree must be approved by the
    IESG and must correspond to a formal publication by a recognized
    standards body.
Vendor Tree - [vnd.tcpdump.org-libpcap]


3. Required parameters
    See RFC 2046 section 1, and RFC 4288, section 4.3
[]


4. Optional parameters
    See RFC 2046 section 1, and RFC 4288, section 4.3
[]


5. Encoding considerations
    See RFC 2046 section 6, and RFC 4288 section 4.8.
[ ] 7 bit text
[ ] 8 bit text
    (this media type may require encoding on transports not capable of
     handling 8 bit text)
[X] binary
    (this media type may require encoding on transports not capable of
     handling binary)
[ ] framed
    (transport must provde framing information)


6. Security considerations
See RFC 4288, section 4.6
Note that discussion of security considerations is required.
[
The media does not contain "active content" (see RFC4288 section 4.6).

The general header and the packet headers may form a covert channel
which identifies the class of host which created the media.

The media contains captured network packets. These packets may breach
the privacy of end-users. Those end-users may be unaware that a packet
capture has taken place. Even if applications attempt to preserve
end-user privacy by encrypting packet contents (eg, TLS) the
end-user's packet headers and packet timing are still subject to
traffic analysis.

It is strongly recommended that packet captures be encrypted when
transmitted (by e-mail, web or whatever) to preserve end-user's
privacy from unauthorised interception.

Bugs may exist in some reading programs which could possibly be
exploited to gain unauthorized access to a recipient's system.  Apart
from noting this possibility, there is no specific action to take to
prevent this, apart from the timely correction of such bugs if any are
found.
]


7. Interoperability considerations
See RFC 4288, section 4.5
[
A network protocol capture is written in host byte order. The first
four bytes form a magic number. 0xa1b2c3d4 indicates that the reader
has the same byte order as the writer. 0xd4c3b2a1 indicates that the
reader has a different byte order from the writer and should swap
bytes as it reads.

The accuracy and resolution of the time stamp on each packet depends
upon the host and its operating system.

The header contains major and minor version numbers to allow a reading
program to determine if it is compatible with the media. A reading
program is not compatible if it encounters a major version number
greater than it expects.

Data link types are assigned by tcpdump.org and can be viewed in the
file pcap/bpf.h of the libpcap code. The data link types DLT_USER0 to
DLT_USER15 are reserved for local use and thus are intentionally not
interoperable.
]


8. Published specification
See RFC 4288, section 4.10
[
See "Libpcap File Format" at
  <http://wiki.wireshark.org/Development/LibpcapFileFormat>.

The file format was invented for use by tcpdump (software written by
V Jacobson, C Leres and S McCanne, incorporated in BSD UNIX, and now
widely available on many systems).

Source code for libpcap and tcpdump is available from
  <http://www.tcpdump.org/>.
]


9. Applications which use this media type
See RFC 4288, section 4.5
[
libpcap, a C library to capture network packets for POSIX-like systems.

Net::Pcap, Jpcap, python-libpcap, Ruby/Pcap are respectively Perl,
Java, Python and Ruby bindings for libpcap.

WinPcap, a port of libpcap for Microsoft Windows

libpcap and WinPcap are in turn used by:

tcpdump, a command line tool to capture and display network packets

wireshark, a graphical tool to capture, display and analyse network packets

snort, a network intrusion detector

Many other programs which capture, display, analyse, manipulate and
replay network traffic use this media format.
]


10. Additional information
See RFC 4288, section 4.11
 * Magic number(s)
   [0xa1b2c3d4, 0xd4c3b2a1]

 * File extension(s)
   [.pcap, .cap, .dmp]

 * Macintosh File Type Code(s)
   []

 * Object Identifier(s) or OID(s)
  (See RFC1494)
   []


11. Intended usage
[Common]
[
Network captures written in the format used by libpcap are widely
used in the data networking community. They can be sent in email with
a strong expectation that the receiver's network capture software can
read them.
]


12. Other Information/General Comment
[
For further information see <http://www.tcpdump.org/>.
]


Person to contact for further information
See RFC 4288, section 4.9
  * Name
    [Guy Harris]
  * E-mail
    [guy@____.___.___]
  * Author/Change controller
    [Guy Harris <guy@____.___.___>]
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.