On Apr 4, 2011, at 10:09 PM, Darren Reed wrote:
> Is there a DLT type for "plain text"?
No.
> That is, can I record or insert text based comments or other data to a pcap
> file?
No, but you can record them in a pcap-NG file.
The tradeoffs:
With LINKTYPE_PPI+LINKTYPE_TEXT, with no changes, Wireshark will report
the LINKTYPE_TEXT packets as an unknown encapsulation, and just show the raw
hex and ASCII for the text, which is an ugly UI, but you can at least see the
text; with pcap-NG, Wireshark would have to be changed to report the
information.
With LINKTYPE_PPI+LINKTYPE_TEXT, with no changes, tcpdump, and probably
at least some other libpcap/WinPcap-based programs, will reject the file as
unreadable; with pcap-NG, libpcap-based programs using libpcap 1.1 or later (if
dynamically-linked, even if they weren't built with libpcap 1.1) will read the
file and just ignore the text comments.
With LINKTYPE_PPI+LINKTYPE_TEXT, if you *did* add LINKTYPE_PPI and
LINKTYPE_TEXT support to libpcap/WinPcap-based programs such as tcpdump, they'd
be able to handle the comments and even report them, as long as the
libpcap/WinPcap they're using is recent enough not to throw up if you give even
an empty filter string to pcap_compile() with a LINKTYPE_PPI capture, so it'd
work with current versions of libpcap and WinPcap; with pcap-NG, in order to
have libpcap/WinPcap-based programs report the text comments, we'd need to add
APIs that expose the full capabilities of pcap-NG to libpcap/WinPcap, modify
the programs to use those APIs and report the comments, and build them against
and run them with a libpcap/WinPcap that supports the new APIs.
With LINKTYPE_PPI+LINKTYPE_TEXT, if you want to use libpcap/WinPcap
filters on the capture in a libpcap/WinPcap-based program, the libpcap/WinPcap
filtering code would have to be modified, possibly significantly, to handle a
file where the *actual* encapsulation (as opposed to the "envelope"
encapsulation of LINKTYPE_PPI) differs from packet to packet, even if it's just
differing between some actual linktype and LINKTYPE_TEXT; with pcap-NG, libpcap
filters will Just Work with no API changes or code changes with a libpcap that
handles pcap-NG (which will reject mixed link-layer types, so that's not an
issue).
With LINKTYPE_PPI+LINKTYPE_TEXT, we have a solution to a particular
problem, with a bit of a special-purpose hack (LINKTYPE_TEXT isn't very useful
by itself, it's only useful with LINKTYPE_PPI); with pcap-NG, we have something
that's a bit cleaner and more cleanly extensible.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
