https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3096
Guy Harris <guy@xxxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Platform|PC |All
--- Comment #1 from Guy Harris <guy@xxxxxxxxxxxx> 2008-12-04 16:42:30 PDT ---
No protocol analyzer I know of will just ignore packets with a special network
type as not understood. What they'll do with them depends on the analyzer.
A packet time stamp of 0 means January 1, 1970, 00:00:00 GMT, so, while it's
unlikely, it's not invalid - and it's likely to confuse the heck out of
applications that don't know about it (i.e., anything that can read a libpcap
file, including existing versions of Wireshark, tcpdump, snort, etc.).
Not all link-layer types have a type value, and there aren't necessarily any
"can never occur on the wire" types for a given link-layer type. We could try
to register our own Ethernet type (just as I *hope* Microsoft did for the fake
Ethernet type they use in Network Monitor files for statistics and the like),
although that only handles Ethernet and LAN types using 802.2; it won't handle,
for example, PPP.
The ultimate correct answer is pcap-NG:
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
which already defines a comment option, containing a UTF-8 text string, which
can be attached to a number of record types including packet records.
Unfortunately, libpcap doesn't support pcap-NG, so many other applications,
including tcpdump, don't support it, and Wireshark's support is limited, so
it's not ready for this yet.
The PPI link-layer type:
http://www.cacetech.com/documents/PPI_Header_format_1.0.1.pdf
could perhaps be extended for this; unfortunately, that can't be read by all
applications that handle libpcap files, so it's not much better than pcap-NG in
terms of compatibility.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.