tcpdump mailing list archives
Re: proposed new pcap format
From: Christian Kreibich <christian () whoop org>
Date: Wed, 24 Mar 2004 15:30:41 +0000
Hi,
in the new format, is it really necessary to have the version number in
every packet? How about making that a separate header and including it
only once at the start of a trace? Also, since with your design there's
the possibility of not actually having a pcap1_info_packet chained into
a pcap1_packet_header (or in fact more than one -- is that a good idea?
mhmm ...), there could simply be one pcap1_packet_header at the
beginning of the file that only contains such a version header ...
It might also be useful to do
struct pcap1_info_packet {
struct pcap1_info_container pic;
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
unsigned char packet_data[0];
};
instead to make the lengths match the sequence in the current
pcap_pkthdr.
Regards,
Christian.
On Wed, 2004-03-24 at 01:53, Michael Richardson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
This is what I would propose as revision.
Note that the pcap1_packet_header is present on every packet. One can
merge pcap files together with "cat" if one likes.
A suggestion was made to accomodate the nano-second resolution from AIX.
Can you tell me what they do for that? just more bits, sure, but is
there a nano-seconds (32-bits, I guess) + seconds (64 bits?).
enum pcap1_info_types {
PCAP_DATACAPTURE,
PCAP_TIMESTAMP,
};
struct pcap1_info_container {
bpf_u_int32 info_len; /* in bytes */
bpf_u_int32 info_type; /* enum pcap1_info_types */
unsigned char info_data[0];
};
struct pcap1_info_timestamp {
struct pcap1_info_container pic;
bpf_int32 thiszone; /* gmt to local correction */
struct timeval ts; /* time stamp */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
};
struct pcap1_info_packet {
struct pcap1_info_container pic;
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */
unsigned char packet_data[0];
};
struct pcap1_packet_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_u_int32 block_len;
struct pcap1_info_container pics[0];
};
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: proposed new pcap format, (continued)
- Re: proposed new pcap format Michael Richardson (Mar 24)
- Re: proposed new pcap format Darren Reed (Mar 24)
- Re: proposed new pcap format Guy Harris (Mar 24)
- Re: proposed new pcap format Darren Reed (Mar 24)
- Re: proposed new pcap format Michael Richardson (Mar 24)
- Re: proposed new pcap format Darren Reed (Mar 25)
- Re: proposed new pcap format Richard Sharpe (Mar 25)
- --enable-ipv6 Error You must get working getaddrinfo() function murugesan (Mar 26)
- Re: proposed new pcap format Richard Sharpe (Mar 26)
- Re: proposed new pcap format Michael Richardson (Mar 24)
- Re: proposed new pcap format Michael Richardson (Mar 25)