[ntar-workers] Re: Major rework / review of pcapng file formatin CVS - please review

Gianluca Varenni gianluca.varenni at cacetech.com
Mon Oct 22 21:44:36 GMT 2007 

----- Original Message ----- 
From: "Guy Harris" <guy at alum.mit.edu>
To: <ntar-workers at winpcap.org>
Sent: Monday, October 22, 2007 2:20 PM
Subject: Re: [ntar-workers] Re: Major rework / review of pcapng file 
formatin CVS - please review


> Gianluca Varenni wrote:
>
>> - if_fcslen option: it's not clear what to write in this field when the 
>> FCS is variable. 0 and the right effective FCS length in each packet? 
>> having the effective FCS length in an option is a bit dumb in my opinion 
>> (if we do not have a way to declare that the FCS length is in the option, 
>> properly decoding the packets will always require decoding the options of 
>> the packet block!
>
> "In a option" meaning "in an option in the Interface Description Block" or 
> "in an option in the Packet Block or Enhanced Packet Block"?

My bad, I was not clear at all here. My point is that we should probably 
have a way in the fcslen option of the Interface Description Block to say 
that the fcslen is per-packet, and it's saved as a per-packet option (e.g. 
if_fcslen=0xFFFFFFF). Otherwise the problem is that the if_fcslen (in the 
IDB) specifies a "default" FCS, but then you would need to scan the 
per-packet options to know if the effective FCS len for that packet is the 
"default" one or a specific per-packet one. What I want is a way to say "ok, 
the FCS len is fixed, 4 bytes. You will not find a per-packet FCSLEN in the 
packet options." or "the FCS is per-packet. You need to read the per-packet 
options to know the effective FCS len. If you don't find it, then the FCS 
len is the one stored in the IDB".

I hope this clarifies my point.
GV


>
> There are two reasons for a per-packet FCS length:
>
> 1) to handle the case where the FCS length is variable (e.g., PPP) and it 
> changes in the course of a session;
>
> 2) to be one way of handling the case where the capture isn't passive - 
> i.e., the capture includes packets transmitted by the machine doing the 
> capture - and those packets don't have the FCS included.
>
> If outgoing packets *never* include the FCS, 2) could also be handled with 
> the packet direction information.
> _______________________________________________
> ntar-workers mailing list
> ntar-workers at winpcap.org
> https://www.winpcap.org/mailman/listinfo/ntar-workers

More information about the ntar-workers mailing list