Re: [tcpdump-workers] proposed new pcap format

Wed, 24 Mar 2004 08:50:58 -0800 

Hi,

in the new format, is it really necessary to have the version number in
every packet? How about making that a separate header and including it
only once at the start of a trace? Also, since with your design there's
the possibility of not actually having a pcap1_info_packet chained into
a pcap1_packet_header (or in fact more than one -- is that a good idea?
mhmm ...), there could simply be one pcap1_packet_header at the
beginning of the file that only contains such a version header ...

It might also be useful to do 

struct pcap1_info_packet {
        struct pcap1_info_container pic;
        bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */
        bpf_u_int32 caplen;     /* length of portion present */
        bpf_u_int32 len;        /* length this packet (off wire) */
        unsigned char packet_data[0];
};

instead to make the lengths match the sequence in the current
pcap_pkthdr.

Regards,
Christian.

On Wed, 2004-03-24 at 01:53, Michael Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> This is what I would propose as revision. 
> Note that the pcap1_packet_header is present on every packet. One can
> merge pcap files together with "cat" if one likes.
> 
> A suggestion was made to accomodate the nano-second resolution from AIX.
> Can you tell me what they do for that? just more bits, sure, but is
> there a nano-seconds (32-bits, I guess) + seconds (64 bits?).
> 
> 
> enum pcap1_info_types {
>         PCAP_DATACAPTURE,
>       PCAP_TIMESTAMP,
> };
> 
> struct pcap1_info_container {
>       bpf_u_int32 info_len;         /* in bytes */
>       bpf_u_int32 info_type;        /* enum pcap1_info_types */
>       unsigned char info_data[0];
> };
> 
> struct pcap1_info_timestamp {
>       struct pcap1_info_container pic;
>       bpf_int32      thiszone;        /* gmt to local correction */
>       struct timeval ts;      /* time stamp */
>       bpf_u_int32 sigfigs;    /* accuracy of timestamps */
> };    
>       
> struct pcap1_info_packet {
>       struct pcap1_info_container pic;
>       bpf_u_int32 caplen;     /* length of portion present */
>       bpf_u_int32 len;        /* length this packet (off wire) */
>       bpf_u_int32 linktype;   /* data link type (LINKTYPE_*) */
>       unsigned char packet_data[0];
> };    
>       
> struct pcap1_packet_header {
>       bpf_u_int32 magic;
>       u_short     version_major;
>       u_short     version_minor;
>         bpf_u_int32 block_len;
>       struct pcap1_info_container pics[0];
> };

-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]

Reply via email to