[pcap-ng-format] "Hardware, OS, User application" - separate options for "what did the capture?" and "what's processed the file"?
Alexis La Goutte
alexis.lagoutte at gmail.com
Wed Jun 1 13:59:35 UTC 2016
Hi,
On Wed, Jun 1, 2016 at 3:10 AM, Guy Harris <guy at alum.mit.edu> wrote:
> On May 30, 2016, at 11:35 PM, Guy Harris <guy at alum.mit.edu> wrote:
>
> > If a capture is done, it might be useful to record, for the machine to
> which the physical interface on which the capture was done is attached:
> >
> > the hardware of that machine;
> >
> > the OS that machine is running;
> >
> > the application that did the capturing;
> >
> > if they are available.
>
> Given the existence of tools that merge capture files, no guarantee can be
> made that any option in the Section Header Block will reflect "the machine
> on which the capture was done", so:
>
> 1) programs shouldn't report the shb_hardware, shb_os, or
> shb_userappl options as pertaining to the machine on which the capture was
> done (yes, Wireshark does that, and, yes, it should stop doing so);
>
> 2) we should have IDB options for both the machine on which the
> capturing application was run and the machine to which the interfaces on
> which the captures were done was attached - the latter should probably be
> omitted if the interface is local;
>
> 3) programs that merge captures should probably only copy over
> shb_hardware, shb_os, and shb_userappl options from the input files if the
> values are the same in all files - and that raises questions about merging
> multi-section files.
>
> So I'd vote for adding to the IDB:
>
> if_hardware - the hardware on the machine doing the capturing and
> writing the capture file;
>
> if_userappl - the application running on that machine;
>
> with if_os specified as being the OS running on that machine, and also
> adding
>
> if_remote_hardware - the hardware on the machine to which the
> interface is attached;
>
> if_remote_os - the OS running on that machine (if any);
>
> if_remote_userappl - the capturing from that interface and sending
> packets over the wire (e.g., rpcapd);
>
I don't like _remote_ it is not possible to use _capture_ or other name ?
>
> along with
>
> if_interface_hw - a hardware-level description of the adapter on
> which the capture is being done (local adapter for a local machine, remote
> adapter for a remote machine).
>
> The current description of the SHB options in question speaks of them as
> being for the {hardware,OS,application} "used to create the section",
> which, arguably, means that, in a merged capture, it should refer to the
> hardware and OS on which the merging program was run and the merging
> application itself.
>
> Whether editing a capture, by removing packets, adding/removing/changing
> comments, etc. should result in the SHB options being removed or changed is
> another question; my inclination is "no".
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20160601/b81fddad/attachment.html>
More information about the pcap-ng-format
mailing list