Re: [OPSAWG] PCAPNG standardisation
Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Thu, 17 July 2014 08:12 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E83471A0061 for <opsawg@ietfa.amsl.com>; Thu, 17 Jul 2014 01:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.202
X-Spam-Level:
X-Spam-Status: No, score=-2.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdlNHuKWv6ro for <opsawg@ietfa.amsl.com>; Thu, 17 Jul 2014 01:12:19 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94B911A0077 for <OPSAWG@ietf.org>; Thu, 17 Jul 2014 01:12:00 -0700 (PDT)
Received: from [192.168.1.200] (p508F2F0A.dip0.t-ipconnect.de [80.143.47.10]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id 1B6511C0E97A0; Thu, 17 Jul 2014 10:11:56 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <53C69A6B.1020604@cisco.com>
Date: Thu, 17 Jul 2014 10:11:55 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8430A745-C4F8-4C2E-859A-5DC2D57F3934@lurchi.franken.de>
References: <36334903-3B26-41FA-A9AE-35B5F74F88AC@lurchi.franken.de> <52D6582A-1740-4601-9ABC-FFCCC3847461@lurchi.franken.de> <53C69A6B.1020604@cisco.com>
To: Benoit Claise <bclaise@cisco.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/opsawg/rfDsQiDTTnqVMv505TfNT-S8UwQ
Cc: OPSAWG@ietf.org, Fulvio Risso <fulvio.risso@polito.it>, Guy Harris <guy@alum.mit.edu>, Jasper Bongertz <jasper@packet-foo.com>
Subject: Re: [OPSAWG] PCAPNG standardisation
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2014 08:12:28 -0000
On 16 Jul 2014, at 17:29, Benoit Claise <bclaise@cisco.com> wrote: > Hi Michael, > > You wrote: > > One of the most accepted packet interchange > formats is the one defined by libpcap, which is rather old and is > lacking in functionality for more modern applications particularly > from the extensibility point of view. > > Can you please expand. Sure. Every pcap file starts with a file header, which contains information about the version, byte ordering, timestamp, snap length and the link layer type of all packets. After the file header you have a sequence of records. Every packet starts with a record header containing the time and the length of the the record followed by the actual bytes of the packet. A pcapng file consists of a sequence of blocks. Each block has a length field and a type field. This allows you to add additional blocks in the future. A reader can also skip blocks he doesn't know. This gives you extensibility. The blocks currently defined allow you to store more information than a classical pcap file: * You can store packets from different interfaces with different link layers. * You can store information about packet drops between captured packets (like snoop). * You can store statistical information about drop numbers during the capture * You can store information about DNS names of node you capture traffic from. Best regards Michael > > Regards, Benoit >> On 26 Jun 2014, at 19:29, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote: >> >>> Dear all, >>> >>> I have submitted an ID describing the default packet format format >>> used by Wireshark for saving capture files: >>> http://www.ietf.org/internet-drafts/draft-tuexen-opswg-pcapng-00.txt >> Wrong name... Use >> http://www.ietf.org/internet-drafts/draft-tuexen-opsawg-pcapng-00.txt >>> Is there any interest in the WG to work on this and improve it? >>> >>> Any comments are welcome! >>> >>> Best regards >>> Michael >>> >>> _______________________________________________ >>> OPSAWG mailing list >>> OPSAWG@ietf.org >>> https://www.ietf.org/mailman/listinfo/opsawg >>> >> _______________________________________________ >> OPSAWG mailing list >> OPSAWG@ietf.org >> https://www.ietf.org/mailman/listinfo/opsawg >> > >
- [OPSAWG] PCAPNG standardisation Michael Tuexen
- Re: [OPSAWG] PCAPNG standardisation Michael Tuexen
- Re: [OPSAWG] PCAPNG standardisation Benoit Claise
- Re: [OPSAWG] PCAPNG standardisation Michael Tuexen
- Re: [OPSAWG] PCAPNG standardisation Jasper Bongertz