IETF Logo Mail Archive

Re: [OPSAWG] PCAPNG standardisation

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Thu, 17 July 2014 08:12 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E83471A0061 for <opsawg@ietfa.amsl.com>; Thu, 17 Jul 2014 01:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.202
X-Spam-Level:
X-Spam-Status: No, score=-2.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdlNHuKWv6ro for <opsawg@ietfa.amsl.com>; Thu, 17 Jul 2014 01:12:19 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94B911A0077 for <OPSAWG@ietf.org>; Thu, 17 Jul 2014 01:12:00 -0700 (PDT)
Received: from [192.168.1.200] (p508F2F0A.dip0.t-ipconnect.de [80.143.47.10]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id 1B6511C0E97A0; Thu, 17 Jul 2014 10:11:56 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <53C69A6B.1020604@cisco.com>
Date: Thu, 17 Jul 2014 10:11:55 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8430A745-C4F8-4C2E-859A-5DC2D57F3934@lurchi.franken.de>
References: <36334903-3B26-41FA-A9AE-35B5F74F88AC@lurchi.franken.de> <52D6582A-1740-4601-9ABC-FFCCC3847461@lurchi.franken.de> <53C69A6B.1020604@cisco.com>
To: Benoit Claise <bclaise@cisco.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/opsawg/rfDsQiDTTnqVMv505TfNT-S8UwQ
Cc: OPSAWG@ietf.org, Fulvio Risso <fulvio.risso@polito.it>, Guy Harris <guy@alum.mit.edu>, Jasper Bongertz <jasper@packet-foo.com>
Subject: Re: [OPSAWG] PCAPNG standardisation
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2014 08:12:28 -0000

On 16 Jul 2014, at 17:29, Benoit Claise <bclaise@cisco.com> wrote:

> Hi Michael,
> 
> You wrote:
> 
>   One of the most accepted packet interchange
>   formats is the one defined by libpcap, which is rather old and is
>   lacking in functionality for more modern applications particularly
>   from the extensibility point of view.
> 
> Can you please expand.
Sure.

Every pcap file starts with a file header, which contains information
about the version, byte ordering, timestamp, snap length and the link
layer type of all packets. After the file header you have a sequence
of records. Every packet starts with a record header containing the
time and the length of the the record followed by the actual bytes of
the packet.

A pcapng file consists of a sequence of blocks. Each block has a length
field and a type field. This allows you to add additional blocks in the
future. A reader can also skip blocks he doesn't know. This gives you
extensibility. The blocks currently defined allow you to store more
information than a classical pcap file:
* You can store packets from different interfaces with different link
  layers.
* You can store information about packet drops between captured packets
  (like snoop).
* You can store statistical information about drop numbers during the capture
* You can store information about DNS names of node you capture traffic from.

Best regards
Michael
> 
> Regards, Benoit
>> On 26 Jun 2014, at 19:29, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
>> 
>>> Dear all,
>>> 
>>> I have submitted an ID describing the default packet format format
>>> used by Wireshark for saving capture files:
>>> http://www.ietf.org/internet-drafts/draft-tuexen-opswg-pcapng-00.txt
>> Wrong name... Use
>> http://www.ietf.org/internet-drafts/draft-tuexen-opsawg-pcapng-00.txt
>>> Is there any interest in the WG to work on this and improve it?
>>> 
>>> Any comments are welcome!
>>> 
>>> Best regards
>>> Michael
>>> 
>>> _______________________________________________
>>> OPSAWG mailing list
>>> OPSAWG@ietf.org
>>> https://www.ietf.org/mailman/listinfo/opsawg
>>> 
>> _______________________________________________
>> OPSAWG mailing list
>> OPSAWG@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsawg
>> 
> 
>

v2.23.0 | Report a Bug | By Email