Wireshark · Ethereal-dev: Re: [Ethereal-dev] Re: [tcpdump-workers] New capture file format ideas?

[Johan Jorgensen <johan.jorgensen@xxxxxxxx>]

Hello Darren, 

I personally would prefer the approach using meta data. In an earlier
posting I suggested a plugin interface to be used with esoteric hardware
(in my case 802.11 devices) . Someone (I think it was Guy) came up with
the idea of having wiretap (i.e. pcap) support plugins. My suggestion is
to use the two meta data fields to do the following:

1. Specify what plugin to use in order to read, write and process the 
metadata
2. Specify offset to the meta data (perhaps stored in a separate file).

The second file containing meta-data would then specify any sort of data
we could think of (preceeded by a length field). It would be up to the
plugin to read and write meta data. If the application does not support
a particular plugin we could just skip the two meta-data fields in the
packet record. In my little ASCII art below I explicitly outlined the 
fields "Plugin ID" and "meta offset" (should be a part of the packet
record). The part labeled "plugin data" could be used by the plugin
mechanism to identify plugins/dissectors etc i.e. associating the
plugin-id with a particular plugin in a platform independent way. All
records/datafields should be in network byte order, but I guess that
goes without saying. 

Best regards
Johan Jorgensen



                                          Supporting file format
New capture format (RFC1761 like)         containing meta data
+-----------------+
|     Header      | 
+-----------------+
|   Plugin data   |
+-----------------+                       +-------------------+
| Packet record   |                       |  Meta file header |
| Plugin ID       |                       +-------------------+
| Meta offset     +---------------------->|     Meta Length   |
+-----------------+                       +-------------------+
| Captured packet |                       |                   |
+-----------------+                       |      Meta data    |
| Packet record   |                       |                   |
| Plugin ID       |                       +-------------------+
| Meta offset     +---------------------->|     Meta Length   |
+-----------------+                       +-------------------+
| Captured packet |                       |      Meta data    |
+-----------------+                       +-------------------+

begin:vcard 
n:Jorgensen;Johan
tel;work:+46 (0)46 272 34 54
x-mozilla-html:FALSE
org:Axis Communications AB;Research & Core Technology
version:2.1
email;internet:Johan.Jorgensen@xxxxxxxx
title:HW/SW Engineer
adr;quoted-printable:;;Scheelevagen 34	=0D=0ASE-223 63 LUND;;;;SWEDEN
x-mozilla-cpt:;-7072
fn:Johan Jorgensen
end:vcard