Re: New official link-layer type request

[Damir Franusic <damir.franusic () gmail com>]

Hi

LEAs SHOULD accept only ASN.1 BER encoded but that is not the case. I 
encountered a case where they wanted us

to convert that ASN.1 back to pcap. And the problem was that IRI is not 
packet data and that's why I would like a new DLT so I could either have 
a pcap file with all ELLE data or pcapng with mixed LinkLayer types with 
some blocks having DLT_ELEE for IRI data.

I am trying to make our product more professional and combine Wireshark 
with ETSI. With this dissector plugin and ELEE DLT I am actually doing 
pretty great.

I guess pcapng could be used by using SectionHeader block with ELEE DLT 
for LI data (IRI and CC((. I am doing my best and will continue do 
improve on that spec as promissed.

I could use pcapng which seems like a good idea nut I would still need 
that new ELEE DLT to set SectionHeader properly for IRI data that 
follows and also for CC data since unfortunately it also contains LI 
specific attributes. But You are right that pcapng could be ok.

I chose pcap since it's older and there's a better change for support 
and I have previously encountered one agency that actually demanded it.


On 5/19/19 12:27 AM, Guy Harris wrote:
> On May 11, 2019, at 3:42 PM, Michael Richardson <mcr () sandelman ca> wrote:
>
> > Also, it might be that pcapng would actually be a really good container for
> > your work rather than inventing yet-another-TLV.
> Are there any law enforcement agencies that *will* accept a pcap file but *won't* accept a pcapng file?  *If* that's the 
> case, that would prevent pcapng from being used, but if it's *not* the case, that might mean pcapng could be used.
>
> If we *do* use pcapng, that would mean that:
>
>         1) Wireshark wouldn't be able to read the lawful intercept information in the files until support for new block 
> types and options are added to it;
>
>         2) tcpdump wouldn't be able to read the lawful intercept information in the files until we add full pcapng 
> support (with new APIs) to libpcap, including support for the new block types and options, and add support for the new APIs, 
> and for the new block types and options, to tcpdump;
>
>         3) other programs that currently read pcap files would need to be able to read pcapng to read those files at 
> all, and that support for pcapng would have to include the new block types and options in order to read the lawful 
> intercept information.
>
> To be fair, those programs would *also* have to be modified to handle LINKTYPE_ELEE - and programs that can read pcapng 
> would at least be able to read the intercepted packets without change, assuming they just ignore unknown block and 
> option types (which they should do!).

--
Damir Franusic

email: damir.franusic () gmail com
http://ele2.io/

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers