Handling of pcap-ng files in Wireshark

[Anders Broman <anders.broman () ericsson com>]

Hi,
Having spent some time looking at the implementation of handling pcap-ng files in Wireshark I think we have to
decide on how to handle the none packet blocks:

Section Header Block           SHB
Interface Description Block    IDB
Name Resolution Block         NRB
Interface Statistics Block       ISB

As it is now we hide the existence of these blocks and try to handle them behind the scenes, but we don't handle 
writing them back out again in a good way.
What would be the expected behavior filtering a pckap-ng capture should all the ISB:s be preserved, even if all the 
packets in between are gone?
- Would it make sense to stick SHB IDB NRB and ISB:s into the packet list some how and have them "dissected" as a 
packet frame? (or just a subset)
   They could be dissected as a "frame" with more or less data shown.
- Put them in frame data with a block type, but don't show them, messes up frame number I suppose.
- Continue to try to handle them separately. But showing the ISB at the place it occured might make sense.
- ?

At the moment actually having them in the packet list appeals to me but there is probably a downside and I don't know 
how big the design effort would be.
Comments? Other ideas?

Regards
Anders

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe