Re: pcapng save files

[Michal Sekletar <msekleta () redhat com>]

On Thu, Jul 03, 2014 at 11:52:03AM -0400, Michael Richardson wrote:
> Guy Harris <guy () alum mit edu> wrote:
>     > The current libpcap support uses the existing APIs, which can't expose
>     > the full capabilities of pcap-ng; it requires all interfaces in the
>     > pcap-ng file to have the same link-layer header type and snapshot
>     > length, and all sections of the pcap-ng file to have the same byte
>     > order.  (Then again, Wireshark requires all sections of the pcap-ng
>     > file to be the same section :-); it currently supports only one
>     > section.  This needs to be fixed as well.)
>
> Yes, this is a good point.  I don't think we can go there until we start
> using pcapng by default, and start considering pcap as read-only.
>
> Also, I think that we will need to have a set of pcapng utilities.
> I was trying to run "netdude" which lets you pick/chose/edit pcap files,
> but the version of gtk that is requires is now obsolete... so I wound up
> trying to hex editing my pcap file to remove the unwanted packet, then I used
> tcpslice when I failed to get that right.
>
> (I realize that pcapng files have the goal that concatenation is simple)
>
>     > OS X Mountain Lion has changes to libpcap and tcpdump that allow
>     > tcpdump to write pcap-ng files (-P specifies "write pcap-ng"); sadly,
>     > those changes are under the APSL, patent clauses included, so I'm loath
>     > to incorporate them into our libpcap and tcpdump.
>
> Interesting, I didn't know Apple did that.
> Who did that work, I'm curious?  And why?

FWIW, 

https://www.opensource.apple.com/source/libpcap/libpcap-42/libpcap/pcapng.c

>     >> PCAPNG is magic 0x1A2BC3D4.
>     >> PCAP is magic   0xa1b23c4d.
>     >> I would have liked if PCAPNG had used the same magic, and actually just
>     >> bumped the PCAP_VERSION_MAJOR...
>
>     > I.e., if the major version number of the file is 3, the rest of the
>     > file header would look more like a pcap-ng Section Header Block, with
>     > the magic number being the block type?
>
> Yes, that's I would have preferred.
>
>     >> Did anyone tell the /bin/file people about the PCAPNG magic number?
>
>     > Yes:
>
> Good.
>
>     >> Anyway, I'm thinking that there should be another tcpdump 4.x release
>     >> that writes to pcap format by default, but has an option to force output
>     >> format to pcapng, and then a 5.x release that defaults to writing
>     >> pcapng.
>
>     > Yes; the new libpcap would have a new API that can read pcap and
>     > pcap-ng files and expose the full capabilities of pcap-ng, and another
>     > new API that can write pcap-ng files (and perhaps also pcap files; that
>     > would let us fix some infelicities in the current pcap writing API,
>     > such as not being able to get a write error indication or a close error
>     > indication), and tcpdump would, if those APIs are available in libpcap,
>     > use the new APIs to read files and would offer a -P flag to write
>     > pcap-ng files.  (The existing APIs would remain, for the benefit of
>     > programs not yet changed to use the new APIs.)
>
> I think that we should be able to make the existing APIs wrappers around
> new function?
>
> Are there specific things in a new API that would make wireshark happier?
> feel free to start a new thread ;-)
>
>     > Tcpdump 5.x would do the same, but write pcap-ng files by default; I'm
>     > not sure whether we should then make -P specify "write pcap" or add a
>     > new option for that.
>
> I'd like it to be -P pcap or -P pcapng (or -P pcap3 ).
> I'd also like tcpdump 5 to come with a new (alternate) main() where we
> get to start again on all the single letter options and go for long options.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [

Cheers,

Michal

> _______________________________________________
> tcpdump-workers mailing list
> tcpdump-workers () lists tcpdump org
> https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers