I have reposted the PCAP and PCAP-NG documents. Name: draft-gharris-opsawg-pcap Title: PCAP Capture File Format Html: https://www.ietf.org/archive/id/draft-gharris-opsawg-pcap-02.html Diff: https://www.ietf.org/rfcdiff?url2=draft-gharris-opsawg-pcap-02
Abstract: This document describes the format used by the libpcap library to record captured packets to a file. Programs using the libpcap library to read and write those files, and thus reading and writing files in that format, include tcpdump. Name: draft-tuexen-opsawg-pcapng Title: PCAP Next Generation (pcapng) Capture File Format Html: https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-03.html Diff: https://www.ietf.org/rfcdiff?url2=draft-tuexen-opsawg-pcapng-03 Abstract: This document describes a format to record captured packets to a file. This format is extensible; Wireshark can currently read and write it, and libpcap can currently read some pcapng files. There has been a reasonable amount of discussion, such as: https://mailarchive.ietf.org/arch/msg/opsawg/II4OEz82HXbsF_qn_3uFDsG3Z2g/ https://mailarchive.ietf.org/arch/msg/opsawg/sdjMYN7wj2nzXmSpy0pIlu3uCtI/ https://mailarchive.ietf.org/arch/msg/opsawg/4Cvm_msdnORHMUY3kbyCV6dbGyI/ https://mailarchive.ietf.org/arch/msg/opsawg/yJ7LczDObabWAH4SrmJ886bqMVg/ There was many comments about how we should have used CBOR for PCAPNG, and I would agree that in hindsight, it would be good. New section types for PCAPNG could well be encoded in CBOR. I also advocated that for draft-ietf-quic-qlog-h3-events,draft-ietf-quic-qlog-main-schema, draft-ietf-quic-qlog-quic-events, but they didn't go that way. (At least, not yet?). I haven't time to do QUIC stuff, but if there is interest, and I'll read the documents above, and see if I can come up with a proposal. The proposal is to adopt draft-gharris-opsawg-pcap as an Informational document. This documents the ~30 year old pcap format used by tcpdump, wireshark, etc. Almost all of IPv6, DNSSEC, DNS extensions, etc. research done by many researchers, including for instance, the https://www.caida.org/projects/network_telescope/ have used pcap files as their capture format. We need to do this as *WG* and can not do this as ISE, because the pcap document establishes the critical LinkType registry. One of the exchanges above is about how to "load" this rather large legacy into IANA. pcapng would be an IETF controlled document, the "pcap 2.0", but we can't really do as many changes as we might like. (I'd sure like to name it pcap2.0, as I hate the whole "Next Generation" moniker, but I don't know if that would fly at this late stage). *MAYBE* PCAPNG should also be Informational, given that we can't really mess with it too much. *MAYBE* PCAP2.0 should be just the structure as IETF Standards Track, with the section structure which is in PCAPNG (which is not changeable) should be an Informational document. This involves more documents, but no additional text. I would be pleased to present at IETF111 on this plan, and have a discussion, but I'd prefer to get to a place where the chairs feel happy to consider adopting before then. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
