On May 11, 2019, at 3:42 PM, Michael Richardson <m...@sandelman.ca> wrote:
> Also, it might be that pcapng would actually be a really good container for
> your work rather than inventing yet-another-TLV.
Are there any law enforcement agencies that *will* accept a pcap file but
*won't* accept a pcapng file? *If* that's the case, that would prevent pcapng
from being used, but if it's *not* the case, that might mean pcapng could be
used.
If we *do* use pcapng, that would mean that:
1) Wireshark wouldn't be able to read the lawful intercept information
in the files until support for new block types and options are added to it;
2) tcpdump wouldn't be able to read the lawful intercept information in
the files until we add full pcapng support (with new APIs) to libpcap,
including support for the new block types and options, and add support for the
new APIs, and for the new block types and options, to tcpdump;
3) other programs that currently read pcap files would need to be able
to read pcapng to read those files at all, and that support for pcapng would
have to include the new block types and options in order to read the lawful
intercept information.
To be fair, those programs would *also* have to be modified to handle
LINKTYPE_ELEE - and programs that can read pcapng would at least be able to
read the intercepted packets without change, assuming they just ignore unknown
block and option types (which they should do!).
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
