Re: asking for a new link-layer header type value

[Guy Harris <guy () alum mit edu>]

On Jul 19, 2011, at 11:48 AM, nicolas roche wrote:

> I wondering if the number of packets loosed by the kernel may be added
> to the .pcap file header.

Not without assigning a new magic number for the new file format.

The pcap file header is of a fixed length, and if you add a new field without, in effect, defining a new pcap format 
with a new magic number, you will end up with files that cannot be read by *any* programs that know the old format, 
such as tcpdump, Kismet, Wireshark, and so on.

pcap-ng format has the ability to store that, although, unfortunately, I don't think any of the underlying capture 
mechanisms libpcap supports supply packet-drop counts along with the packets, so

        1) that would require an extra system call, to get the drop counts, for every group of packets that's read;

        2) that system call is done after packets are queued up to be read by libpcap, so the value it would get if 
libpcap were to make it when processing a packet won't necessarily reflect the number of packets dropped by the kernel 
when the packet it's processing had arrived;

so there would be a performance hit and it wouldn't give you an accurate value in any case.  Fixing that would require 
a change to Linux's PF_PACKET socket code, *BSD's and Mac OS X's BPF code, and so on.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.