Re: “bytes on wire” vs. “bytes captured”

[Guy Harris <guy () alum mit edu>]

On Jul 22, 2019, at 8:27 AM, Holger Pfrommer <HPfrommer () hilscher com> wrote:

> thanks for your clarification. So I assume pcapng would be a good future-proof choice.

...as would adding a new link-layer header type, which would be supported in both pcap and pcapng.

> Which leads to the next question. When I put a vendor-specific options block to an EPB, how would I be able to 
> dissect this in my dissector?

That would require changes to the pcapng file-reading code and to the dissection code.  The problem is that the 
routines that read records from a capture file don't have a mechanism to provide a complete list of options to the code 
calling those routines (not even for *standard* options); this needs to be fixed, but hasn't been fixed yet.

A new link-layer header type would be easier to support with the current code base.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe