Re: What is the history and status of PCAP Next Generation?

[Tyson Key <tyson.key () gmail com>]

Apologies for the thread hijacking...

For what it's worth, I've just had a play with the latest build of CommView
(6.5, build 734), and it seems to have basic support for writing PCAP-NG
files. (Emits no packet comments, and doesn't use any nifty features like
storing application/machine info).

Since I haven't got a tool for reverse-engineering PCAP-NG traces handy
(other than looking at strings in a text editor), I'm assuming that they're
generating very bare-bones IDBs, and using (Simple?) Packet Blocks for
storing the packet data. I don't know if it'll preserve unrecognised
block/field types, or comments, either.

> From testing with some of the traces that I've attached to bug reports
related to CommView .NCF support in Wireshark, it seems that I can export
Ethernet packets with full fidelity; although exporting 802.11 captures is
a lossy process (the RSSI, band/frequency, and bandwidth/link speed field
values are lost).

In fact, it seems that even though the .NCF format supports multiple link
layer types (and converting 802.11-only captures works fine), attempting to
export a sample file containing 802.11, Ethernet, and Token Ring packets to
PCAP-NG results in a useless file with all of the packets assigned to a
single interface with an Ethernet link type.

So I guess that it's a good start from the TamoSoft folks - but they've got
a little more work to do, before they can call their product
fully-interoperable with PCAP-NG.

I still don't know if any of MS's offerings support writing files in this
format, though.

Tyson.


2013/10/9 Jasper Bongertz <jasper.sharklists () packet-foo com>

> Sorry to answer this late; I saw this email a week ago but didn't
> manage to reply - the todo got swapped out but never swapped in again.
> Graham gave me a heads up (that I didn't see until now, either,
> *sigh*), so here I go.
>
> > >  Q2: What is the status of pcap-ng?
> > >
> > >      * "it works fine, everyone's using it, it just isn't an RFC"
> > >   or * "it's an abandoned effort, plain pcap is good enough"
> > >   or * "all development has moved to X, take a look at X"
>
> > "It works fine, some software's using it, and there's no RFC for
> > pcap format, either, although there probably should be informative
> > RFCs for both of them at some point."
>
> At Sharkfest 2013 we (me, plus the Wireshark devs that were "in
> range") had a impromptu meeting regarding the status of the PCAP-ng
> specifications.
>
> I offered to see if we can go in the direction of an RFC, but got a
> bit sidetracked. I had checked how the procedures work in July/August, but
> at the time the RFC submission process was closed for new submissions.
> It should be open again by now, so I'll try to go forward asap.
>
> Oh, and regarding the status of PCAP-ng I'd say it is more like "a
> couple of tools are using it, but most are still stuck on pcap for
> whatever  reason."
>
> Cheers,
> Jasper
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe



-- 
                                          Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe