[pcap-ng-format] "Hardware, OS, User application" - separate options for "what did the capture?" and "what's processed the file"?
Guy Harris
guy at alum.mit.edu
Wed Jun 1 19:24:51 UTC 2016
On Jun 1, 2016, at 6:59 AM, Alexis La Goutte <alexis.lagoutte at gmail.com> wrote:
> On Wed, Jun 1, 2016 at 3:10 AM, Guy Harris <guy at alum.mit.edu> wrote:
>
>> So I'd vote for adding to the IDB:
>>
>> if_hardware - the hardware on the machine doing the capturing and writing the capture file;
>>
>> if_userappl - the application running on that machine;
>>
>> with if_os specified as being the OS running on that machine, and also adding
>>
>> if_remote_hardware - the hardware on the machine to which the interface is attached;
>>
>> if_remote_os - the OS running on that machine (if any);
>>
>> if_remote_userappl - the capturing from that interface and sending packets over the wire (e.g., rpcapd);
>
> I don't like _remote_ it is not possible to use _capture_ or other name ?
Those fields would only be present if the capture was remote; for a local capture, "the machine doing the capturing and writing the capture file" and "the machine to which the interface is attached" are the same machine, so there'd be no point in providing the if_remote_ fields.
if_capture_ doesn't clearly indicate which of those two machines it is. Do you have another suggestion that makes it clearer that they're referring to the second of those two machines?
More information about the pcap-ng-format
mailing list