<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">2016-11-16 4:43 GMT+01:00 Guy Harris <span dir="ltr"><<a href="mailto:guy@alum.mit.edu" target="_blank">guy@alum.mit.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On Nov 15, 2016, at 6:11 PM, Michael Richardson <<a href="mailto:mcr@sandelman.ca">mcr@sandelman.ca</a>> wrote:<br>
</span><br>
I'd go with Apple's API, except that their libpcap changes are covered under the APSL, and I suspect that there would be OSes that wouldn't want to go with a libpcap with APSL code just as there would be ones that wouldn't want to go with a libpcap with GPL code.<br>
<span class="gmail-"><br>
>> I haven't seen a single big endian formatted file except for the<br>
>> broken one from the Wireshark online PCAPng library in my life (yes, I<br>
>> know, PacketCache does it ;-)), so as long as Intel CPUs are used in<br>
>> all the capture devices we'll mostly see little endian (I may be wrong<br>
>> here and it has nothing to do with CPU designs)<br>
><br>
> Yes, and while ARM can come in BE or LE (as a hardware design choice), it's<br>
> mostly being designed as LE, from what I can tell. I think MIPS systems are<br>
> mostly BE, and there are lots and lots of MIPS processors out there inside<br>
> core BFRs.<br>
<br>
</span>I.e., it is not the case that Intel CPUs are used in all the capture devices; *desktop and notebook computers* (perhaps with tiny exceptions) have little-endian x86 CPUs, and smartphones/tables have (probably) little-endian ARM CPUs, but servers and network devices might have other CPUs, such as possibly big-endian MIPS in networking equipment and big-endian SPARC, Power ISA, and z/Architecture in servers.<br></blockquote><div><br></div><div>Not all code is written in C by old school developers; please read the erratasec blog post I referred to earlier. The code for my sniffer tools (RawCap and PacketCache) can write capture files in any endianness regardless of what endian the CPU is.<br><br></div><div>I'm arguing that the pcapng spec should not have to "worry" about what CPU the code is running on or what programming language that is used to implement the spec. The goal should be to make a simple and clear spec with no ambiguity. As I hinted before, this whole 32-bit alignment is one example where the spec is written specifically to support parsing the files by loading the data into packed structs. A modern protocol or file spec should not assume that this is how the data will be parsed. As an example, please read this note from the current pcapng implementation regarding alignment of 64 bit values:<br><br>"Please note: 64-bit values are not aligned to 64-bit boundaries. This
is because the file is naturally aligned to 32-bit boundaries only.
Special care MUST be taken when reading and writing such values. (Note
also that some 64-bit values are represented as a 64-bit integer in the
endianness of the machine that wrote the file, and others are
represented as 2 32-bit values, one containing the upper 32 bits of the
value and one containing the lower 32 bits of the value, each written as
32-bit integers in the endianness of the machine that wrote the file.
Neither of these formats guarantee 64-bit alignment.)"<br><br></div><div>This is definitely not KISS, I can see so many ways a developer could screw this up when writing a pcapng parser!<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Both pcap and pcapng support "reader makes it right", i.e. the writer writes the file in their byte order and the reader byte-swaps it as necessary. When pcap format was developed, back in the early 1990's, there were Sun SPARC workstations, SGI MIPS workstations, HP PA-RISC workstations, and IBM RS/6000 workstations, all big-endian, as well as DEC MIPS and ALPHA workstations, all little-endian.<br>
<br>
In any case, the spec says either byte order can be used, and it's a bit late to undo that.</blockquote><div><br></div><div>I agree it's way to late to change the PCAP spec, but is it really to late for pcapng? Why not just change the pcapng spec and force all code to write in one endianness in the future? I'm arguing that allowing any endian generates more problems than it solves.<br><br></div><div>How many pcapng "compatible" tools can read a pcapng file with multiple Section Header Blocks of mixed endian? In fact, my experience is that several tools that claim to support pcapng don't even support big-endian files (I have quite a lot of big endian ones).<br></div><div><br></div><div>Allowing mutiple secion header blocks with interchanging endian creates a complexity that will lead to buggy code in many implementations. And this is just one example of where the pcapng spec isnt supporting the KISS principle. A full implementation of the current pcang spec will be much more prone to contain bugs compared to the old PCAP spec. Also most developers will probably not implement the whole spec, in fact you can read most pcapng files by just implementing SHB, IDB and EPB. Chances are that other block types will either not be implemented or remain untested (i.e. byggy).<br></div></div></div></div>