On May 20, 2024, at 8:31 AM, luoyuxuan.c...@gmail.com wrote:
>I've noticed that the question about libpcap's support for writing files
> in the pcapng format has been brought up multiple times in the mailing list.
> Yet, I'm still curious about the current status of this function. Can anyone
> provide an update: is it currently in progress or still pending
> implementation?
The current status is that there is a GitHub issue for adding full pcapng
support to libpcap:
https://github.com/the-tcpdump-group/libpcap/issues/1321
because support for writing pcapng files without full support for reading those
files is not all that useful.
>Additionally, given Apple's implementation under the APSL license,
...which is a license not compatible with the GPL:
https://www.gnu.org/philosophy/apsl.html
as it contains a patent clause:
12. Termination.
12.1 Termination. This License and the rights granted hereunder
will terminate:
(a) automatically without notice from Apple if You fail to
comply with any term(s) of this License and fail to cure such breach within 30
days of becoming aware of such breach;
(b) immediately in the event of the circumstances described
in Section 13.5(b); or
(c) automatically without notice from Apple if You, at any
time during the term of this License, commence an action for patent
infringement against Apple; provided that Apple did not first commence an
action for patent infringement against You in that instance.
I don't know whether that clause would mean that anybody who has written code
that uses pcapng support APIs in a version of libpcap that implements those
APIs with APSL-licensed code would, "automatically without notice from Apple",
remove their permission to use the pcapng support if they file a lawsuit
accusing Apple of infringing a patent of theirs, but, if so, I would really
prefer libpcap not to have any such code. (The question is whether that would
apply to users of libpcap or tcpdump; I don't expect the Tcpdump Group to file
for any patents ourselves.)
> I wonder if the community is allowed to submit a pull request for it.
Yes, but, in addition to the patent clause of the APSL, Apple's APIs have some
issues.
For one thing, the pcap-ng.3 man page in the Darwin libpcap source on GitHub:
https://github.com/apple-oss-distributions/libpcap/blob/main/libpcap/pcap_ng.3
(yes, Apple's public repositories are on a website run by a wholly-owned
subsidiary of Microsoft) says:
Opening a pcap-ng file
To open a handle for a pcap-ng capture file from which to read pcap-ng
blocks use either pcap_ng_fopen_offline() or pcap_ng_open_offline(). As
these functions return a NULL value if the file is not in the pcap-ng
format, one should then try opening the file using
pcap_fopen_offline(3PCAP) or pcap_open_offline(3PCAP).
To open a new pcap-ng capture file to save pcap-ng blocks use either
pcap_ng_dump_open() or pcap_ng_dump_fopen().
The above functions return a pcap_t that may be used with most of the
pcap(3PCAP) functions that accept a capture handle.
That is not the API that I would prefer. When I originally wrote the limited
pcap-reading code in libpcap, my intent was to allow code to read both pcap
*and* pcapng files without any changes to the code, rather than requiring some
awkward pair of opens. I would prefer that, for code that fully supports
pcapng, only one open be necessary, and that it get a fake SHB, a fake IDB
(without any interface name provided, as that's not stored in pcap files), and
a sequence of fake IDBs.
In addition, the routine to write a pcapng block returns no value:
void
pcap_ng_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp);
which means that it shares pcap_dump()'s inability to report errors, including
"no more space on the file system". See, for example,
https://github.com/the-tcpdump-group/libpcap/issues/1047
I would prefer to have new APIs in which the callback returns a value:
0 on success;
a PCAP_ERROR_ value on an error;
a PCAP_WARNING_ value on a warning condition;
with errors and warnings breaking out of the loop, causing the callback return
value to be returned. This would, for example, allow out-of-space conditions
to be reported.
___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
