Re: Direction definition on packet bus with no direction info in packet header

[Guy Harris <guy () alum mit edu>]

On Oct 28, 2012, at 11:22 AM, Martin Kaiser <lists () kaiser cx> wrote:

> The solution we came up with is to have one DLT. The pcap packet data
> consists of a pseudo-header and the actual bytes that are transfered.
> The dissector picks up the direction from the pseudo-header.
> The capturing tool has to create the pseudo header for every packet it
> captures.

I would also recommend that solution.  The epb_flags field in pcap-ng is available only in pcap-ng, so critical 
information would be lost if, for whatever reason, the capture were written in a pcap file or converted from pcap-ng to 
pcap; in addition, I view it as indicating the packet's direction relative to the interface receiving it, which might 
represent a direction if the interface is a "live" interface on the capturing machine, but wouldn't do so if the 
machine is passively tapping a link, so I see epb_flags and pseudo-header directional information as separate.

Of the alternatives Andrew cited, 1) is, as he says, a bit heavy-handed, and 3) is a bit clunky *and* runs the risk 
that a user might destroy the information if they edit the comment.  4) probably is a bad idea for the reason Andrew 
gives.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe