IETF Logo Mail Archive

Re: [OPSAWG] adopting draft-gharris-opsawg-pcap and draft-tuexen-opsawg-pcapng

Guy Harris <gharris@sonic.net> Mon, 05 July 2021 01:39 UTC

Return-Path: <gharris@sonic.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18CF73A134D; Sun, 4 Jul 2021 18:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGfFanGbRF-v; Sun, 4 Jul 2021 18:39:30 -0700 (PDT)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D29A83A1338; Sun, 4 Jul 2021 18:39:29 -0700 (PDT)
Received: from smtpclient.apple (173-228-4-126.dsl.dynamic.fusionbroadband.com [173.228.4.126]) (authenticated bits=0) by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id 1651dRTk011295 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 4 Jul 2021 18:39:27 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Subject: Re: [OPSAWG] adopting draft-gharris-opsawg-pcap and draft-tuexen-opsawg-pcapng
From: Guy Harris <gharris@sonic.net>
In-Reply-To: <28231.1625447939@localhost>
Date: Sun, 04 Jul 2021 18:39:27 -0700
Cc: opsawg@ietf.org, qlog@ietf.org, quic@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FAD0FA27-0007-483D-8C26-32F6F23C36E6@sonic.net>
References: <162449794730.28597.16572068303470741654@ietfa.amsl.com> <25597.1625012947@localhost> <0546D69C-6AE0-45FB-8C66-9929BE7B8942@sonic.net> <28231.1625447939@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-Sonic-CAuth: UmFuZG9tSVY3rHvNwyB0x3N8qkqhrsKlLcnwzBXpvAD3IqyvGZ+jVYb6LKQe7h0C22b+iDeQ3xBDmCtWKWdISW6pSX6flse6
X-Sonic-ID: C;AlDC1THd6xGdK9vKcSgy2w== M;gqz01THd6xGdK9vKcSgy2w==
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/koFyKNjqCEbuN0SSbzLnxW1UTAY>
X-Mailman-Approved-At: Mon, 05 Jul 2021 23:50:35 -0700
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 01:39:35 -0000

On Jul 4, 2021, at 6:18 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

> Guy Harris <gharris@sonic.net> wrote:
>>> The proposal is to adopt draft-gharris-opsawg-pcap as an Informational
>>> document.  This documents the ~30 year old pcap format used by tcpdump,
>>> wireshark, etc.   Almost all of IPv6, DNSSEC, DNS extensions, etc. research
>>> done by many researchers, including for instance, the
>>> https://www.caida.org/projects/network_telescope/ have used pcap files as
>>> their capture format.
>>> We need to do this as *WG* and can not do this as ISE, because the pcap
>>> document establishes the critical LinkType registry.  One of the exchanges
>>> above is about how to "load" this rather large legacy into IANA.
> 
>> Do the link-layer types belong in a pcap I-D/RFC, given that they're
>> used in both pcap and pcapng, and given that there are a lot of them,
>> so that the link-layer types information might swap the pcap format
>> information if they're in a single spec?
> 
> Some document which would be the result of IETF Consensus needs to create the
> link-layer repository, and it needs to initialize the database.

That document doesn't have to be the same document that describes the structure of pcap files, just as there could be separate documents for the structure of pcapng/pcap 2.0 file and for the initial set of block types for pcapng/pcap 2.0.

> I think that you mean "swamp" where you write "swap"?

Yes.

> I don't think it's a problem that they are in the same document.
> The WG could disagree, and tell us to split the document into two.
> 
>> We might want to have a pcap spec, a pcapng spec, and another document
>> that gives detailed descriptions - as detailed as what's in
>> https://www.tcpdump.org/linktypes.html
> 
> The IANA Considerations rules for the repository is "Specification Required",
> but that doesn't mean that the specification has to be in the document we
> submit.  It can be any stable document.  That includes an RFC, but isn't
> restricted to that.
> It is perfectly fine to point at linktypes.html from the IANA Registry.
> There are presently more details in the table than I originally had intended
> to include.


Above, you say

> Some document which would be the result of IETF Consensus needs to create the
> link-layer repository, and it needs to initialize the database.

Does "initialize the database" mean "provide the initial set of entries in the database"?  If so, does it have to provide anything more than "see the entry for LINKTYPE_XYZZY in www.tcpdump.org/linktypes.html for the XYZZY linktype"?  Or, with an extra layer of compression, just have a list of LINKTYPE_XYZZY values with a single "for each linktype in this list, see the entry for that Linotype in www.tcpdump.org/linktypes.html"?

>> So, with that proposal for pcapng/pcap 2.0 would there be, as separate documents:
> 
>> the overall structure, currently covered by sections 1-4 and 6-7 of the
>> spec, and not very changeable;
> 
> Yes.  Call this "pcap2"
> 
>> the definitions of blocks and block-specific options, currently covered
>> by sections 4 and 5, with the blocks currently specified not being
>> changeable other than using reserved fields and adding new options, but
>> with adding new block types being allowed;
> 
> I would include, in "pcap2" all the current blocks that correspond to capture
> types present in pcap1.

("pcap1" presumably being the current pcap file format.)

What do you mean by "capture types"?

If you're referring to linktypes, different linktypes don't have different block types.  The only current (as opposed to deprecated) block types corresponding to what appears in pcap files are the Enhanced Packet Block (EPB) and the Simple Packet Block (SPB), and the latter is arguably different from a pcap record given that it doesn't have a time stamp - "editcap -T pcap pcap-file.pcap pcapng-file.pcapng" will write out one Section Header Block, one Interface Description Block, and a pile of EPBs.

> Then, I'd put all the things which aren't about capture of IP packets
> (e.g. systemd, USB, ...) into another (informational) document.

systemd journal entries and USB packets are different here - USB packets are stored in EPBs, just as they're stored in pcap files (i.e., USB packets have a LINKTYPE_ value usable in both pcap files and pcapng Interface Description Blocks - well, several of them, given that different OSes supply different pseudo-headers), but systemd journal entries have their own block type.

> Or perhaps just leave them in a web page, having pointed at them in pcap2's
> IANA Considerations.

So have the bulk of the information about linktypes, block types, and block-specific option types be on some web site not in in ietf.org, with the registry just giving linktype/block type/option names and numbers, along with a link to that site?

v2.23.0 | Report a Bug | By Email