tcpdump mailing list archives
Re: How to record plain text in a pcap file?
From: Guy Harris <guy () alum mit edu>
Date: Mon, 4 Apr 2011 23:09:57 -0700
On Apr 4, 2011, at 10:09 PM, Darren Reed wrote:
Is there a DLT type for "plain text"?
No.
That is, can I record or insert text based comments or other data to a pcap file?
No, but you can record them in a pcap-NG file.
The tradeoffs:
With LINKTYPE_PPI+LINKTYPE_TEXT, with no changes, Wireshark will report the LINKTYPE_TEXT packets as an unknown
encapsulation, and just show the raw hex and ASCII for the text, which is an ugly UI, but you can at least see the
text; with pcap-NG, Wireshark would have to be changed to report the information.
With LINKTYPE_PPI+LINKTYPE_TEXT, with no changes, tcpdump, and probably at least some other
libpcap/WinPcap-based programs, will reject the file as unreadable; with pcap-NG, libpcap-based programs using libpcap
1.1 or later (if dynamically-linked, even if they weren't built with libpcap 1.1) will read the file and just ignore
the text comments.
With LINKTYPE_PPI+LINKTYPE_TEXT, if you *did* add LINKTYPE_PPI and LINKTYPE_TEXT support to
libpcap/WinPcap-based programs such as tcpdump, they'd be able to handle the comments and even report them, as long as
the libpcap/WinPcap they're using is recent enough not to throw up if you give even an empty filter string to
pcap_compile() with a LINKTYPE_PPI capture, so it'd work with current versions of libpcap and WinPcap; with pcap-NG, in
order to have libpcap/WinPcap-based programs report the text comments, we'd need to add APIs that expose the full
capabilities of pcap-NG to libpcap/WinPcap, modify the programs to use those APIs and report the comments, and build
them against and run them with a libpcap/WinPcap that supports the new APIs.
With LINKTYPE_PPI+LINKTYPE_TEXT, if you want to use libpcap/WinPcap filters on the capture in a
libpcap/WinPcap-based program, the libpcap/WinPcap filtering code would have to be modified, possibly significantly, to
handle a file where the *actual* encapsulation (as opposed to the "envelope" encapsulation of LINKTYPE_PPI) differs
from packet to packet, even if it's just differing between some actual linktype and LINKTYPE_TEXT; with pcap-NG,
libpcap filters will Just Work with no API changes or code changes with a libpcap that handles pcap-NG (which will
reject mixed link-layer types, so that's not an issue).
With LINKTYPE_PPI+LINKTYPE_TEXT, we have a solution to a particular problem, with a bit of a special-purpose
hack (LINKTYPE_TEXT isn't very useful by itself, it's only useful with LINKTYPE_PPI); with pcap-NG, we have something
that's a bit cleaner and more cleanly extensible.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- How to record plain text in a pcap file? Darren Reed (Apr 04)
- Re: How to record plain text in a pcap file? Guy Harris (Apr 04)
- Re: How to record plain text in a pcap file? Darren Reed (Apr 05)
- Re: How to record plain text in a pcap file? Guy Harris (Apr 05)
- Re: How to record plain text in a pcap file? Darren Reed (Apr 05)
- Re: How to record plain text in a pcap file? Guy Harris (Apr 04)