Re: [OPSAWG] New Version Notification for draft-tuexen-opsawg-pcapng-02.txt

Guy Harris <> Wed, 30 September 2020 07:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 78D7D3A1297 for <>; Wed, 30 Sep 2020 00:25:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LpJObsbOP67u for <>; Wed, 30 Sep 2020 00:25:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3BB6D3A1295 for <>; Wed, 30 Sep 2020 00:25:04 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.1/8.15.1) with ESMTPSA id 08U7OqsD030129 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 30 Sep 2020 00:24:53 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Guy Harris <>
In-Reply-To: <>
Date: Wed, 30 Sep 2020 00:24:52 -0700
Cc: Michael Richardson <>, Michael Tuexen <>, "" <>, "" <>, Jasper Bongertz <>, "" <>, Fulvio Risso <>, Gerald Combs <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Qin Wu <>
X-Mailer: Apple Mail (2.3608.
X-Sonic-CAuth: UmFuZG9tSVbxKpmq4rPl8oimYRaKClbJYHId39+Cg6PwFk5enXWAizEaeMiILDq27CLPXx/HKii73gMJ67+VzZBnp3I5NFcc
X-Sonic-ID: C;op4QCO4C6xG4TZLwCB/Veg== M;9i9dCO4C6xG4TZLwCB/Veg==
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
Archived-At: <>
X-Mailman-Approved-At: Wed, 30 Sep 2020 00:39:39 -0700
Subject: Re: [OPSAWG] New Version Notification for draft-tuexen-opsawg-pcapng-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Sep 2020 07:25:06 -0000

On Sep 29, 2020, at 7:14 PM, Qin Wu <> wrote:

> Can you clarify what functionalities is missed for more modern applications? Since it is enhancement to libpcap, do you expect all the future packet capture tools support the format defined in this draft?

pcapng is a file format that's a replacement for pcap.

The current version of libpcap can read some pcapng files, but it only shows what can be shown through the existing pcap API, so most of the enhancements don't make a difference to programs using libpcap.  That version of libpcap cannot *write* pcapng files.

macOS's version of libpcap has undocumented APIs that allow macOS's tcpdump to read and write pcapng files.

Wireshark doesn't use libpcap to read capture files; it fully supports reading and writing pcapng files.

In the future, we would like to add new APIs to libpcap that support reading and writing pcapng files (and pcap files as well); the new APIs will make all of the added capabilities of pcapng available.  However, programs that use libpcap will have to be changed to use the new APIs in order to use those added capabilities.  tcpdump will probably be the first program updated to use them.