[pcap-ng-format] TODO in pcap-ng specifications
Guy Harris
guy at alum.mit.edu
Thu Jun 2 03:03:49 UTC 2016
On Jul 24, 2012, at 6:49 AM, Jasper Bongertz <jasper.bongertz at flane.de> wrote:
> I've just spent a little time in the specs and searched for all TODOs to
> see what can be done about them. I have created a text document with my
> thoughts, and maybe some of you can take a look at it and we can start a
> discussion about it to get things going.
>
> If nobody disagrees I will replace the simple TODO items (for the
> examples mostly) in the SVN sometime end of this week.
OK, for the options we have, from the TODO list:
opt_endofopt only once, if at all
opt_comment multiple
shb_hardware multiple
shb_os multiple
shb_userappl multiple
if_name once
if_description once
if_IPv4addr multiple
if_IPv6addr multiple
if_MACaddr once
if_EUIaddr once
if_speed once
if_tsresol once
if_tzone once
if_filter once
if_os once
if_fcslen once
if_tsoffset once
epb_flags once
epb_hash once
epb_dropcount once
pack_flags once
pack_hash once
ns_dnsname multiple
ns_dnsIP4addr multiple
ns_dnsIP6addr multiple
isb_starttime once
isb_endtime once
isb_ifrecv once
isb_ifdrop once
isb_filteraccept once
isb_osdrop once
isb_usrdeliv once
I've added a "Multiple allowed?" column to the tables of options, and filled it in. Most of them agree with the above, except for:
shb_hardware multiple
shb_os multiple
shb_userappl multiple
For those, I put "no" in - if the capture isn't the result of a merger, they should record information about the machine on which the capture was done, leaving out subsequent processing, and, if it *is* the result of a merger, we need more information than just a list of those values, we need to indicate which hardware/os/userappl combinations belong to which of the input files.
See my "merge IDs" option proposal in another thread.
ns_dnsname multiple
ns_dnsIP4addr multiple
ns_dnsIP6addr multiple
For those, I put "no" in - if the name/address pairings in the capture come from multiple different servers, there should be multiple NRBs, one for each server. That way, there's an indication of which server provided which addresses.
Perhaps there could be multiple addresses, if the server has multiple IP addresses, but only one name - and if the different addresses actually correspond to different servers, all given the same name, perhaps even there there should be different NRBs.
epb_hash once
pack_hash once
For those, I put "yes" in - there could be multiple hashes for a packet, computed with different hash algorithms.
In addition, multiple custom options are allowed; we can't specify policy for an escape hatch....
More information about the pcap-ng-format
mailing list