IETF draft for remote packet captureSomewhere you need to encode the
link-layer type of the captured data. That is, is the data
Ethernet, Token-Ring, etc.? Your "ifIndex" description seems to encode
interface number, say, the 2nd
interface on the device, but doesn't seem to encode link-layer type. A
program that uses this
packet capture may very well know that the nth interface on a particular
host has a particular
link-layer type, but that information should probably be in your PCAP header
instead of
being retrieved through some non-standardized method.
And from our experience with libpcap, it is wise to have some central
authority keep track
of the list of encodings, as you can't assume that the PPP information
returned from one type
of machine is in the same format as that from another type of machine.You
need different
encodings for every different format that will appear at the beginning of
your captured data.
You'll also want to explicitly define the endianness of the multi-byte
integers in your headers.
What is the purpose of "Sequence Number" in the Multiple Captured Packet
Encapsulation Header?
Are these packets ("meta-packets"? :-) expected to arrive out of order?
--gilbert
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
