On Apr 5, 2004, at 10:39 PM, Ryan Mooney wrote:
What about adding the concept of arbitrary meta-packets that can sit anywhere in the capture stream. These could be used to encode comments, and other meta-data.
In Michael Richardson's proposal, a capture file is a sequence of records, each of which contains one or more type/length/value items. A record need not contain a PCAP_DATACAPTURE item; if it doesn't contain one, it'd be meta-data without a packet, and if it does contain one, it's a packet, possibly with additional meta-data.
In Loris Degioanni and Fulvio Risso's proposal, a capture file is a sequence of records, each of which is a type/length/value item. Some of the record types include a sequence of type/length/value options within them.
Both of those schemes support the concept of arbitrary meta-data that can appear anywhere in the capture stream, encoding comments and other meta data...
This concept could also be used for other internal meta-data for example capture information like direction, interface info, etc...). There would have to be a way to tag future as part of a meta-data stream (to handle multiple interfaces, etc..).
...and handle multiple interfaces, as well as meta-data associated with packets and not associated with packets...
This could be done in a way to preserve the ability to cat multiple files together
...and support the ability to concatenate multiple capture files with "cat".
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.