On Dec 2, 2008, at 5:55 AM, Barry Constantine wrote:
My company builds hardware based network analyzers and we are going
to capture 1G/10G line rate and store in native pcap format.
If possible, it would be beneficial for us to store some extra
information in the packet headers that is unique to our ability to
use custom NIC hardware (FCS errors, collisions, etc..).
I looked at the PCAP format and am thinking there are no spare
bits / fields to accomplish this. We do plan to enable nsec
timestamp option.
Can anyone tell me if there is a way to store additional information
in the pcap file (per packet) that would not cause problems for
normal Wireshark decoding?
One possibility might be to use the DLT_PPI link-layer type and add
Ethernet packet information:
http://www.cacetech.com/documents/PPI_Header_format_1.0.1.pdf
The ideal would be to use pcap-NG, but using PPI might at least be a
good near-term fix.
