On May 20, 2024, at 8:31 AM, luoyuxuan.c...@gmail.com wrote: > I've noticed that the question about libpcap's support for writing files > in the pcapng format has been brought up multiple times in the mailing list. > Yet, I'm still curious about the current status of this function. Can anyone > provide an update: is it currently in progress or still pending > implementation?
The current status is that there is a GitHub issue for adding full pcapng support to libpcap: https://github.com/the-tcpdump-group/libpcap/issues/1321 because support for writing pcapng files without full support for reading those files is not all that useful. > Additionally, given Apple's implementation under the APSL license, ...which is a license not compatible with the GPL: https://www.gnu.org/philosophy/apsl.html as it contains a patent clause: 12. Termination. 12.1 Termination. This License and the rights granted hereunder will terminate: (a) automatically without notice from Apple if You fail to comply with any term(s) of this License and fail to cure such breach within 30 days of becoming aware of such breach; (b) immediately in the event of the circumstances described in Section 13.5(b); or (c) automatically without notice from Apple if You, at any time during the term of this License, commence an action for patent infringement against Apple; provided that Apple did not first commence an action for patent infringement against You in that instance. I don't know whether that clause would mean that anybody who has written code that uses pcapng support APIs in a version of libpcap that implements those APIs with APSL-licensed code would, "automatically without notice from Apple", remove their permission to use the pcapng support if they file a lawsuit accusing Apple of infringing a patent of theirs, but, if so, I would really prefer libpcap not to have any such code. (The question is whether that would apply to users of libpcap or tcpdump; I don't expect the Tcpdump Group to file for any patents ourselves.) > I wonder if the community is allowed to submit a pull request for it. Yes, but, in addition to the patent clause of the APSL, Apple's APIs have some issues. For one thing, the pcap-ng.3 man page in the Darwin libpcap source on GitHub: https://github.com/apple-oss-distributions/libpcap/blob/main/libpcap/pcap_ng.3 (yes, Apple's public repositories are on a website run by a wholly-owned subsidiary of Microsoft) says: Opening a pcap-ng file To open a handle for a pcap-ng capture file from which to read pcap-ng blocks use either pcap_ng_fopen_offline() or pcap_ng_open_offline(). As these functions return a NULL value if the file is not in the pcap-ng format, one should then try opening the file using pcap_fopen_offline(3PCAP) or pcap_open_offline(3PCAP). To open a new pcap-ng capture file to save pcap-ng blocks use either pcap_ng_dump_open() or pcap_ng_dump_fopen(). The above functions return a pcap_t that may be used with most of the pcap(3PCAP) functions that accept a capture handle. That is not the API that I would prefer. When I originally wrote the limited pcap-reading code in libpcap, my intent was to allow code to read both pcap *and* pcapng files without any changes to the code, rather than requiring some awkward pair of opens. I would prefer that, for code that fully supports pcapng, only one open be necessary, and that it get a fake SHB, a fake IDB (without any interface name provided, as that's not stored in pcap files), and a sequence of fake IDBs. In addition, the routine to write a pcapng block returns no value: void pcap_ng_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp); which means that it shares pcap_dump()'s inability to report errors, including "no more space on the file system". See, for example, https://github.com/the-tcpdump-group/libpcap/issues/1047 I would prefer to have new APIs in which the callback returns a value: 0 on success; a PCAP_ERROR_ value on an error; a PCAP_WARNING_ value on a warning condition; with errors and warnings breaking out of the loop, causing the callback return value to be returned. This would, for example, allow out-of-space conditions to be reported. _______________________________________________ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s