[pcap-ng-format] TODO in pcap-ng specifications

Jasper Bongertz jasper.bongertz at flane.de
Wed Jul 25 17:00:42 PDT 2012

On 26.07.2012 01:57, Guy Harris wrote:
> On Jul 25, 2012, at 3:09 PM, Jasper Bongertz wrote:
>> On 25.07.2012 04:45, Guy Harris wrote:
>>>> Text: "The filter (e.g. "capture only TCP traffic") used to 
>>>> capture traffic. The first byte of the Option Data keeps a
>>>> code of the filter used (e.g. if this is a libpcap string, or
>>>> BPF bytecode, and more). More details about this format will
>>>> be presented in Appendix XXX (TODO). (TODO: better use
>>>> different options for different fields? e.g. if_filter_pcap,
>>>> if_filter_bpf, ...)"
>>>> Maybe this is something for someone who is more specialized
>>>> in the capture filter business. I'm not sure if we need
>>>> different fields for this.
>>> I don't think so.  For one thing, what if you have more than
>>> one such option?  Is a program that cares about it required to
>>> assume that, say, an if_filter_bpf value is the result of
>>> compiling, on the machine on which the compilation was done,
>>> the if_filter_pcap value, or does it need to decide which of
>>> those filters was the one actually used?
>>> We *should*, however, nail down the code for the first byte.
>> Okay, how about
>> Code 1 for libpcap string Code 2 for BPF bytecode
> Wireshark already assumes
> Code 0 for libpcap string Code 1 for BPF bytecode
> so let's go with that instead.

Agreed, that makes sense. I wasn't thinking binary enough, starting at
1 instead of 0 :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4484 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20120726/d211c5da/attachment.bin>

More information about the pcap-ng-format mailing list