<html><head><title>Re: [pcap-ng-format] reserving blocks</title>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
</head>
<body>
<span style=" font-family:'Courier New'; font-size: 9pt;">Hello Loris,<br>
<br>
can you check if the INTERFACE LIST BLOCK can be replaced with the existing "Interface Description Block", or maybe extented by adding options to it? You can find the one I am talking about at section 3.2 at </span>http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html <br>
<br>
<span style=" font-family:'Courier New'; font-size: 9pt;">The same goes for the PROCESS LIST BLOCK - can you check if the specifications of the block called "Process Event Block" in use by the Hone Project fits your needs? See section 3.1 at </span>https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt <br>
<br>
<span style=" font-family:'Courier New'; font-size: 9pt;">I want to avoid having very similar block types twice in the specifications if possible, especially if the names are easily confused as well. If you have to add those two block types as completely new types could you please find names for them that makes them distinguishable from the existing ones?<br>
<br>
Thanks,<br>
Jasper<br>
<br>
Friday, February 7, 2014, 10:08:11 PM, you wrote:<br>
<br>
</span><table>
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 9pt;">I need 6 blocks, that have to do with capturing system events in a new open source tool that I'm about to release. Here they are: <br>
<br>
MACHINE INFO BLOCK <br>
PROCESS LIST BLOCK <br>
FD LIST BLOCK <br>
EVENT BLOCK <br>
INTERFACE LIST BLOCK <br>
USER LIST BLOCK <br>
<br>
The exact block structures are still work in progress, but I will release the code that implements them. <br>
<br>
So if it's ok with you I will use block numbers 0x201->0x206. <br>
<br>
Loris <br>
<br>
<br>
On Fri, Feb 7, 2014 at 12:19 PM, Jasper Bongertz <</span><a style=" font-family:'courier new'; font-size: 9pt;" href="mailto:jasper@packet-foo.com">jasper@packet-foo.com</a><span style=" font-family:'courier new'; font-size: 9pt;">> wrote:<br>
Hello Loris,<br>
<br>
I don't think there is a real process for that right now. A group of developers met last year at Sharkfest at my request to see how to proceed with the existing design specifications. The idea at the moment is to make an RFC out of it, but that is still in progress. We also did not yet define how to add new block types, but we agreed that the existing specification minus the experimental block types should become the 1.0 specification. So anything added on top of that will be in a later official RFC (if we get it to be accepted as an RFC, that is).<br>
<br>
What kind of blocks do you need? The hone project added additional block types like 0x101 and 0x102 on their own, so maybe you could go with something like x201, x202 etc. up for the time being? If that's okay just let me know the block types and structures so I can keep track of them. <br>
<br>
Cheers,<br>
Jasper<br>
<br>
<br>
Friday, February 7, 2014, 8:47:49 PM, you wrote:<br>
<br>
</span><table>
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 9pt;">I need to reserve some pcap-ng block types for a project I'm working on. Can anyone remind me the process I need to follow?</td>
</tr>
</table>
<br><br>
</td>
</tr>
</table>
<br><br>
<br>
<br>
<span style=" font-family:'arial'; color: #c0c0c0;"><i>-- <br>
Best regards,<br>
Jasper </i></span><a style=" font-family:'arial';" href="mailto:jasper@packet-foo.com">mailto:jasper@packet-foo.com</a></body></html>