On Aug 12, 2024, at 5:03 AM, Michael Richardson <[email protected]> wrote:
> I wish we set the pcap"ng" version field to "3", following from pcap v2 being
> the last. It could be done perhaps, and pcap"ng" could be version pcap3.
I wish we'd avoided using the string "pcap" in the name of the extensible
capture file format, as the extensible capture file format is not a
straightforward extension of the pcap file format. pcap format files begin
with a 4-byte magic number, followed by a 2-byte major version number, followed
by a 2-byte minor version number, etc.; extensible capture files begin with a
4-byte Section Header Block block type value, followed by a 4-byte length field
for that Section Header Block, followed by a 4-byte Byte-Order Magic value,
followed by a 2-byte major version number, followed by a 2-byte minor version
number, etc., rather than beginning like a pcap file but with a major version
number of 3.
I.e., the extensible capture file format would not have been "pcapv3" even if
the initial major version number value were 3. It's a different format from
pcap that inherits a few concepts from pcap ("reader makes it right" with a
magic number field with a non-palindromic byte order, used to determine the
byte order of mot fields in the file; link-layer type values from the same set
as in pcap files; a snapshot-length value indicated up front, and both "packet
length" and "captured length" values for each packet), but designed for
extensibility in multiple directions, including the ability to have multiple
record types to carry more than just packets, in ways that make it *not* a
simple "new version of pcap".
So maybe just call it "extensible capture fie format". Sadly, .ecf is already
in use:
https://learn.microsoft.com/en-us/answers/questions/552563/fxsext-ecf-windows-10-file
and so is .xcf:
https://en.wikipedia.org/wiki/XCF_(file_format)
but a quick Google search doesn't pop up any obvious .ecff extension. Or maybe
we should have something other than "capture", as Falco:
https://sysdig.com/opensource/falco/
uses it to record system events (don't turn around, the commissar's in town!).
But there are already a lot of files in that format with .pcapng as the
extension.
(And, speaking of version numbers, it's perhaps unfortunate that the extensible
capture file format has version numbers - if it has to be changed so
incompatibly that the version number has to be changed, that's a sign that the
extensibility failed. But removing it would *itself* require a major version
number change, as old code won't be able to read the new files. A major goal
of the extensibility is to allow old code to read new files, albeit with a loss
of information.)
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
