Guy Harris wrote:
On Oct 28, 2003, at 7:18 AM, Jeff Morriss wrote:
I was updating the RawSS7 dissector to have just the embedded
protocol/LINKTYPE_ (e.g., removing the length) when I came across
WTAP_ENCAP_PER_PACKET--which is exactly what the RawSS7 dissector
looks like now. The 'mergecap' man page says PCAP files don't support
WTAP_ENCAP_PER_PACKET, but I looked into extending wiretap's libpcap
routines to deal with it
...which means, in effect, extending libpcap format, albeit through a
bit of a hack.
Well yes--but the #define was already there! ;-)
and it didn't seem too hard.
Well, what I have in mind for a next-generation libpcap format includes
adding some additional information to the per-packet header - but what I
had in mind was an interface index, not a link-layer type. The file
would have a list of network interfaces, with various attributes - at
minimum, an interface index number and a link-layer type (the interface
index number is supplied in case, for whatever reason, the interface
indices in the capture aren't a dense set of integers starting at 0),
and also perhaps names and descriptions (optional parameters).
Would that work for SS7? If so, perhaps we should stick with the RawSS7
for now, and adopt the next-generation libpcap format as soon as it's
final (I intend it to be an extensible format, with TLV-based per-file,
per-packet, etc. attributes, so "final" just means "good enough to
implement in libpcap and Wiretap, and good enough to build upon").
Definately--in fact I have quite a few things I am looking forward to
with PCAP-NG (like comment TLV's). It's just I have a use (now) for
having different protocols in one file. (Largely because our "capture"
process doesn't actually do the capturing--it just writes down whatever
is sent to it, regardless of where it came from (and maintaining N open
files is painful).)
Anyway, I'll toss out this stuff and finish taking the length out of RawSS7.
