-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Guy" == Guy Harris <[EMAIL PROTECTED]> writes: >> This is what I would propose as revision. >> Note that the pcap1_packet_header is present on every packet. One can >> merge pcap files together with "cat" if one likes. Guy> OK - that's a bit much to write for every packet, though, as Guy> most of it is redundant. I don't think it is really that much. less than 20 bytes. very compressable too. Guy> Does each record have a pcap1_packet_header and *one* Guy> pcap1_info_container, or one or more up to block_len bytes? If Guy> the latter, you could have more than one packet per Guy> pcap1_packet header. You could have more than one packet per header, true. Is that a good thing? I'm not sure. that wasn't what I was thinking though. You could also have zero packets per header - for instance, just have meta data containing the expression used. >> A suggestion was made to accomodate the nano-second resolution from AIX. >> Can you tell me what they do for that? just more bits, sure, but is >> there a nano-seconds (32-bits, I guess) + seconds (64 bits?). Guy> 32-bit seconds, 32-bit nanoseconds. I like to have more than 32-bit seconds. I like the nanoseconds. >> enum pcap1_info_types { >> PCAP_DATACAPTURE, >> PCAP_TIMESTAMP, >> }; Guy> ...with that list presumably being expandable over time. yes. >> bpf_int32 thiszone; /* gmt to local correction */ Guy> We currently have that but don't use it - it's always zero. Guy> Should we start using it? I guess I'm ignorant of the fact that we aren't using it! >> struct timeval ts; /* time stamp */ >> bpf_u_int32 sigfigs; /* accuracy of timestamps */ Guy> Similarly, that's never been set - should we start using it? I think so. Certainly in the version 1.0 format. - -- ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQGGhe4qHRg3pndX9AQGVFwQAl1JyORQMoe533GFzJ8BE8s6u2uPRTGdi k1r+r/cgglCP0rMM6hFjdrEFnzq53uDcXQM3Wt3hqNYFZoaJnAIJt8cunI4fv1mY cM+rIOsk8ln14TnnJl2kFEReWvfdC/EDn1egJ90rXJaAXuJTup3j89Qpkez6DJcZ 9GSj3Cmb4pM= =SOP6 -----END PGP SIGNATURE----- - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]