RFC: DLT for "application TCP stream capture"

["Paul \"LeoNerd\" Evans" <leonerd () leonerd org uk>]

I want an HTTP(S) client to write a dump file of the cleartext it is
sending/receiving, so I can analyse it later. I'm feeling like maybe a
pcap or pcapng file is good for that, so wireshark et.al. can be
applied. Ideally it would include timing information, TCP port numbers
and IP addresses also.

Is there a pcap(ng) DLT for application-written byte streams? Userland
doesn't have access to the entire TCP stack state, so I can't just
write out the actual TCP segments. It would be nice though if I could
just write out chunks of bytes with timing and direction information.

Failing that, I know I /could/ just emit fake IPv4 packets containing
TCP segments, but that would be misleading to analysis applications, as
it is fake data rather than an accurate representation of what
happened. Ideally I would like to be able to emit frames that just say
what the TCP stream bytes were and minimal other information that
userland had to hand.

Thinking more about it of course, there's no reason this has to be
restricted to stream-like data - if the format could also handle
one-shot datagrams such as seen on UDP or similar, that could be
equally useful too.

If there is nothing suitable, I'll come up with a proposal for a new
DLT instead.

-- 
Paul "LeoNerd" Evans

leonerd () leonerd org uk
http://www.leonerd.org.uk/  |  https://metacpan.org/author/PEVANS
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers