<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Feb 7, 2014 at 2:14 PM, Jasper Bongertz <span dir="ltr"><<a href="mailto:jasper@packet-foo.com" target="_blank">jasper@packet-foo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<span style="font-family:'Courier New';font-size:9pt">Hello Loris,<br>
<br>
can you check if the INTERFACE LIST BLOCK can be replaced with the existing "Interface Description Block", or maybe extented by adding options to it? You can find the one I am talking about at section 3.2 at </span><a href="http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html" target="_blank">http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html</a> <br>
</div></blockquote><div><br></div><div><br></div><div><span style="font-family:'Courier New';font-size:12px">The purpose of the INTERFACE LIST BLOCK is storing the list of network interfaces (and their addresses) of the machine where the capture has been done. The information is somewhat similar to the one included in the interface description block, but the semantic is quite different. I could encode the </span><span style="font-family:'Courier New';font-size:12px">INTERFACE LIST BLOCK</span><span style="font-family:'Courier New';font-size:12px"> information in a sequence of interface description blocks, but then we would need a way a way to specify which interface description block is the one used for capture. </span></div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>
<br>
<span style="font-family:'Courier New';font-size:9pt">The same goes for the PROCESS LIST BLOCK - can you check if the specifications of the block called "Process Event Block" in use by the Hone Project fits your needs? See section 3.1 at </span><a href="https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt" target="_blank">https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt</a> <br>
</div></blockquote><div><br></div><div><br></div><div>The two blocks are actually very different. The <span style="font-family:'Courier New';font-size:12px">PROCESS LIST BLOCK</span> contains a list of machine processes, similar the what ps would emit. I can definitely use a different name if you think it's confusing. Do you have suggestions?</div>
<div><br></div><div>Loris</div><div> </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>
<br>
<span style="font-family:'Courier New';font-size:9pt">I want to avoid having very similar block types twice in the specifications if possible, especially if the names are easily confused as well. If you have to add those two block types as completely new types could you please find names for them that makes them distinguishable from the existing ones?<br>
<br>
Thanks,<br>
Jasper<div><div class="h5"><br>
<br>
Friday, February 7, 2014, 10:08:11 PM, you wrote:<br>
<br>
</div></div></span><div><div class="h5"><table>
<tbody><tr>
<td width="2" bgcolor="#0000ff"><br>
</td>
<td><span style="font-family:'courier new';font-size:9pt">I need 6 blocks, that have to do with capturing system events in a new open source tool that I'm about to release. Here they are: <br>
<br>
MACHINE INFO BLOCK <br>
PROCESS LIST BLOCK <br>
FD LIST BLOCK <br>
EVENT BLOCK <br>
INTERFACE LIST BLOCK <br>
USER LIST BLOCK <br>
<br>
The exact block structures are still work in progress, but I will release the code that implements them. <br>
<br>
So if it's ok with you I will use block numbers 0x201->0x206. <br>
<br>
Loris <br>
<br>
<br>
On Fri, Feb 7, 2014 at 12:19 PM, Jasper Bongertz <</span><a style="font-family:'courier new';font-size:9pt" href="mailto:jasper@packet-foo.com" target="_blank">jasper@packet-foo.com</a><span style="font-family:'courier new';font-size:9pt">> wrote:<br>
Hello Loris,<br>
<br>
I don't think there is a real process for that right now. A group of developers met last year at Sharkfest at my request to see how to proceed with the existing design specifications. The idea at the moment is to make an RFC out of it, but that is still in progress. We also did not yet define how to add new block types, but we agreed that the existing specification minus the experimental block types should become the 1.0 specification. So anything added on top of that will be in a later official RFC (if we get it to be accepted as an RFC, that is).<br>
<br>
What kind of blocks do you need? The hone project added additional block types like 0x101 and 0x102 on their own, so maybe you could go with something like x201, x202 etc. up for the time being? If that's okay just let me know the block types and structures so I can keep track of them. <br>
<br>
Cheers,<br>
Jasper<br>
<br>
<br>
Friday, February 7, 2014, 8:47:49 PM, you wrote:<br>
<br>
</span><table>
<tbody><tr>
<td width="2" bgcolor="#0000ff"><br>
</td>
<td><span style="font-family:'courier new';font-size:9pt">I need to reserve some pcap-ng block types for a project I'm working on. Can anyone remind me the process I need to follow?</span></td>
</tr>
</tbody></table>
<br><br>
</td>
</tr>
</tbody></table>
<br><br>
<br>
<br>
</div></div><span class=""><font color="#888888"><span style="font-family:arial;color:rgb(192,192,192)"><i>-- <br>
Best regards,<br>
Jasper </i></span><a style="font-family:arial" href="mailto:jasper@packet-foo.com" target="_blank">mailto:jasper@packet-foo.com</a></font></span></div>
</blockquote></div><br></div></div>