[pcap-ng-format] Reading and writing blocks you don't understand
Guy Harris
guy at alum.mit.edu
Sat Jul 19 22:58:50 UTC 2014
On Jul 19, 2014, at 3:00 PM, Michael Tuexen <tuexen at wireshark.org> wrote:
> On 17 Jul 2014, at 14:30, Guy Harris <guy at alum.mit.edu> wrote:
>
>> If you have a pcap-ng file with a section with a given endianness, and a program that reads a pcap-ng file, processes it in some fashion, and writes out a new file, what should that program do with blocks that it doesn't understand?
> This is an interesting question... What about using some bits in the block type to indicate
> what should be done. Basically one bit could mean:
> * stop processing of the file or continue when reading
> Another one could mean:
> * drop when writing or just copy it out.
>
> This could also apply to options...
I.e., divide blocks and options into categories, and encode the category in the block type/option code?
I'm not sure why we'd have a "stop processing of the file or continue when reading" bit. I think the intent behind pcap-ng's extensibility is that unknown block types and options can always be ignored - information might be lost, but it wouldn't make it impossible to process the other blocks in the file; even if, for example, the information provided by a block or option is necessary to properly dissect packets, that information could potentially be supplied out-of-band, or the program reading the file could just stop dissecting and just show raw packet data at a point where it doesn't have enough information to continue.
More information about the pcap-ng-format
mailing list