Hello list.
It had recently crossed my mind that it would be useful to know when a packet
capture started and when it finished. This is currently not the same as the
timestamps of the first and the last packet in the file.
For example, if you see a single DNS query in the file and you expect multiple
queries, it helps to know that the capture actually lasted for the 3-hour
period of time you are troubleshooting and not for random few seconds around
that single packet, for whatever reason.
Whilst it is not too late to consider this for pcapng format, in a traditional
.pcap file the only reasonable way to record this information seems to be
injecting two made-up packets at the beginning and the end, such that the
timestamps of those packets encode the timeframe of the whole capture. Would
zero-length packets be the best data units for that purpose, considering both
old and new implementations?
--
Denis Ovsienko
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
