On 16 Jul 2014, at 17:29, Benoit Claise <[email protected]> wrote: > Hi Michael, > > You wrote: > > One of the most accepted packet interchange > formats is the one defined by libpcap, which is rather old and is > lacking in functionality for more modern applications particularly > from the extensibility point of view. > > Can you please expand. Sure.
Every pcap file starts with a file header, which contains information about the version, byte ordering, timestamp, snap length and the link layer type of all packets. After the file header you have a sequence of records. Every packet starts with a record header containing the time and the length of the the record followed by the actual bytes of the packet. A pcapng file consists of a sequence of blocks. Each block has a length field and a type field. This allows you to add additional blocks in the future. A reader can also skip blocks he doesn't know. This gives you extensibility. The blocks currently defined allow you to store more information than a classical pcap file: * You can store packets from different interfaces with different link layers. * You can store information about packet drops between captured packets (like snoop). * You can store statistical information about drop numbers during the capture * You can store information about DNS names of node you capture traffic from. Best regards Michael > > Regards, Benoit >> On 26 Jun 2014, at 19:29, Michael Tuexen <[email protected]> >> wrote: >> >>> Dear all, >>> >>> I have submitted an ID describing the default packet format format >>> used by Wireshark for saving capture files: >>> http://www.ietf.org/internet-drafts/draft-tuexen-opswg-pcapng-00.txt >> Wrong name... Use >> http://www.ietf.org/internet-drafts/draft-tuexen-opsawg-pcapng-00.txt >>> Is there any interest in the WG to work on this and improve it? >>> >>> Any comments are welcome! >>> >>> Best regards >>> Michael >>> >>> _______________________________________________ >>> OPSAWG mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/opsawg >>> >> _______________________________________________ >> OPSAWG mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/opsawg >> > > _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
