Hi
LEAs SHOULD accept only ASN.1 BER encoded but that is not the case. I
encountered a case where they wanted us
to convert that ASN.1 back to pcap. And the problem was that IRI is not
packet data and that's why I would like a new DLT so I could either have
a pcap file with all ELLE data or pcapng with mixed LinkLayer types with
some blocks having DLT_ELEE for IRI data.
I am trying to make our product more professional and combine Wireshark
with ETSI. With this dissector plugin and ELEE DLT I am actually doing
pretty great.
I guess pcapng could be used by using SectionHeader block with ELEE DLT
for LI data (IRI and CC((. I am doing my best and will continue do
improve on that spec as promissed.
I could use pcapng which seems like a good idea nut I would still need
that new ELEE DLT to set SectionHeader properly for IRI data that
follows and also for CC data since unfortunately it also contains LI
specific attributes. But You are right that pcapng could be ok.
I chose pcap since it's older and there's a better change for support
and I have previously encountered one agency that actually demanded it.
On 5/19/19 12:27 AM, Guy Harris wrote:
On May 11, 2019, at 3:42 PM, Michael Richardson <m...@sandelman.ca> wrote:
Also, it might be that pcapng would actually be a really good container for
your work rather than inventing yet-another-TLV.
Are there any law enforcement agencies that *will* accept a pcap file but
*won't* accept a pcapng file? *If* that's the case, that would prevent pcapng
from being used, but if it's *not* the case, that might mean pcapng could be
used.
If we *do* use pcapng, that would mean that:
1) Wireshark wouldn't be able to read the lawful intercept information
in the files until support for new block types and options are added to it;
2) tcpdump wouldn't be able to read the lawful intercept information in
the files until we add full pcapng support (with new APIs) to libpcap,
including support for the new block types and options, and add support for the
new APIs, and for the new block types and options, to tcpdump;
3) other programs that currently read pcap files would need to be able
to read pcapng to read those files at all, and that support for pcapng would
have to include the new block types and options in order to read the lawful
intercept information.
To be fair, those programs would *also* have to be modified to handle
LINKTYPE_ELEE - and programs that can read pcapng would at least be able to
read the intercepted packets without change, assuming they just ignore unknown
block and option types (which they should do!).
--
Damir Franusic
email: damir.franu...@gmail.com
http://ele2.io/
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
