summaryrefslogtreecommitdiffstats
path: root/doc/pcap.txt
diff options
context:
space:
mode:
authorrpaulo <rpaulo@FreeBSD.org>2009-03-20 13:44:43 +0000
committerrpaulo <rpaulo@FreeBSD.org>2009-03-20 13:44:43 +0000
commit5779dabf1bcc73045f0168dfb4ff50af3eca292a (patch)
treeb8e8721c09f593e90db0d033af066542e6167439 /doc/pcap.txt
parent446242760ec28d8a7634115ac07f647f057e2ed5 (diff)
downloadFreeBSD-src-5779dabf1bcc73045f0168dfb4ff50af3eca292a.zip
FreeBSD-src-5779dabf1bcc73045f0168dfb4ff50af3eca292a.tar.gz
Flatten vendor/libpcap and remove keyword expansion.
Diffstat (limited to 'doc/pcap.txt')
-rw-r--r--doc/pcap.txt1680
1 files changed, 1680 insertions, 0 deletions
diff --git a/doc/pcap.txt b/doc/pcap.txt
new file mode 100644
index 0000000..cfa6645
--- /dev/null
+++ b/doc/pcap.txt
@@ -0,0 +1,1680 @@
+
+
+Network Working Group L. Degioanni
+Internet-Draft F. Risso
+Expires: August 30, 2004 Politecnico di Torino
+ March 2004
+
+
+ PCAP New Generation Dump File Format
+ pcap
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that other
+ groups may also distribute working documents as Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at http://
+ www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on August 30, 2004.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+ This document describes a format to dump captured packets on a file.
+ This format is extensible and it is currently proposed for
+ implementation in the libpcap/WinPcap packet capture library.
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 1]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+Table of Contents
+
+ 1. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. General File Structure . . . . . . . . . . . . . . . . . . . . 4
+ 2.1 General Block Structure . . . . . . . . . . . . . . . . . . . 4
+ 2.2 Block Types . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.3 Block Hierarchy and Precedence . . . . . . . . . . . . . . . . 5
+ 2.4 Data format . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3. Block Definition . . . . . . . . . . . . . . . . . . . . . . . 8
+ 3.1 Section Header Block (mandatory) . . . . . . . . . . . . . . . 8
+ 3.2 Interface Description Block (mandatory) . . . . . . . . . . . 9
+ 3.3 Packet Block (optional) . . . . . . . . . . . . . . . . . . . 13
+ 3.4 Simple Packet Block (optional) . . . . . . . . . . . . . . . . 15
+ 3.5 Name Resolution Block (optional) . . . . . . . . . . . . . . . 16
+ 3.6 Interface Statistics Block (optional) . . . . . . . . . . . . 18
+ 4. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
+ 5. Experimental Blocks (deserved to a further investigation) . . 23
+ 5.1 Other Packet Blocks (experimental) . . . . . . . . . . . . . . 23
+ 5.2 Compression Block (experimental) . . . . . . . . . . . . . . . 23
+ 5.3 Encryption Block (experimental) . . . . . . . . . . . . . . . 23
+ 5.4 Fixed Length Block (experimental) . . . . . . . . . . . . . . 24
+ 5.5 Directory Block (experimental) . . . . . . . . . . . . . . . . 25
+ 5.6 Traffic Statistics and Monitoring Blocks (experimental) . . . 25
+ 5.7 Event/Security Block (experimental) . . . . . . . . . . . . . 25
+ 6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 7. Most important open issues . . . . . . . . . . . . . . . . . . 28
+ Intellectual Property and Copyright Statements . . . . . . . . 29
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 2]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+1. Objectives
+
+ The problem of exchanging packet traces becomes more and more
+ critical every day; unfortunately, no standard solutions exist for
+ this task right now. One of the most accepted packet interchange
+ formats is the one defined by libpcap, which is rather old and does
+ not fit for some of the nowadays applications especially in terms of
+ extensibility.
+
+ This document proposes a new format for dumping packet traces. The
+ following goals are being pursued:
+
+ o Extensibility: aside of some common functionalities, third parties
+ should be able to enrich the information embedded in the file with
+ proprietary extensions, which will be ignored by tools that are
+ not able to understand them.
+
+ o Portability: a capture trace must contain all the information
+ needed to read data independently from network, hardware and
+ operating system of the machine that made the capture.
+
+ o Merge/Append data: it should be possible to add data at the end of
+ a given file, and the resulting file must still be readable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 3]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+2. General File Structure
+
+2.1 General Block Structure
+
+ A capture file is organized in blocks, that are appended one to
+ another to form the file. All the blocks share a common format, which
+ is shown in Figure 1.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Block Type |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Block Total Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / Block Body /
+ / /* variable length, aligned to 32 bits */ /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Block Total Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 1: Basic block structure.
+
+ The fields have the following meaning:
+
+ o Block Type (32 bits): unique value that identifies the block.
+ Values whose Most Significant Bit (MSB) is equal to 1 are reserved
+ for local use. They allow to save private data to the file and to
+ extend the file format.
+
+ o Block Total Length: total size of this block, in bytes. For
+ instance, a block that does not have a body has a length of 12
+ bytes.
+
+ o Block Body: content of the block.
+
+ o Block Total Length: total size of this block, in bytes. This field
+ is duplicated for permitting backward file navigation.
+
+ This structure, shared among all blocks, makes easy to process a file
+ and to skip unneeded or unknown blocks. Blocks can be nested one
+ inside the others (NOTE: needed?). Some of the blocks are mandatory,
+ i.e. a dump file is not valid if they are not present, other are
+ optional.
+
+ The structure of the blocks allows to define other blocks if needed.
+ A parser that does non understand them can simply ignore their
+ content.
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 4]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+2.2 Block Types
+
+ The currently defined blocks are the following:
+
+ 1. Section Header Block: it defines the most important
+ characteristics of the capture file.
+
+ 2. Interface Description Block: it defines the most important
+ characteristics of the interface(s) used for capturing traffic.
+
+ 3. Packet Block: it contains a single captured packet, or a portion
+ of it.
+
+ 4. Simple Packet Block: it contains a single captured packet, or a
+ portion of it, with only a minimal set of information about it.
+
+ 5. Name Resolution Block: it defines the mapping from numeric
+ addresses present in the packet dump and the canonical name
+ counterpart.
+
+ 6. Capture Statistics Block: it defines how to store some
+ statistical data (e.g. packet dropped, etc) which can be useful
+ to undestand the conditions in which the capture has been made.
+
+ 7. Compression Marker Block: TODO
+
+ 8. Encryption Marker Block: TODO
+
+ 9. Fixed Length Marker Block: TODO
+
+ The following blocks instead are considered interesting but the
+ authors believe that they deserve more in-depth discussion before
+ being defined:
+
+ 1. Further Packet Blocks
+
+ 2. Directory Block
+
+ 3. Traffic Statistics and Monitoring Blocks
+
+ 4. Alert and Security Blocks
+
+ TODO Currently standardized Block Type codes are specified in
+ Appendix 1.
+
+2.3 Block Hierarchy and Precedence
+
+ The file must begin with a Section Header Block. However, more than
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 5]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ one Section Header Block can be present on the dump, each one
+ covering the data following it till the next one (or the end of
+ file). A Section includes the data delimited by two Section Header
+ Blocks (or by a Section Header Block and the end of the file),
+ including the first Section Header Block.
+
+ In case an application cannot read a Section because of different
+ version number, it must skip everything until the next Section Header
+ Block. Note that, in order to properly skip the blocks until the next
+ section, all blocks must have the fields Type and Length at the
+ beginning. This is a mandatory requirement that must be maintained in
+ future versions of the block format.
+
+ Figure 2 shows two valid files: the first has a typical
+ configuration, with a single Section Header that covers the whole
+ file. The second one contains three headers, and is normally the
+ result of file concatenation. An application that understands only
+ version 1.0 of the file format skips the intermediate section and
+ restart processing the packets after the third Section Header.
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | SHB v1.0 | Data |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Typical configuration with a single Section Header Block
+
+
+ |-- 1st Section --|-- 2nd Section --|-- 3rd Section --|
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | SHB v1.0 | Data | SHB V1.1 | Data | SHB V1.0 | Data |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Configuration with three different Section Header Blocks
+
+ Figure 2: File structure example: the Section Header Block.
+
+ NOTE: TO BE COMPLETED with some examples of other blocks
+
+2.4 Data format
+
+ Data contained in each section will always be saved according to the
+ characteristics (little endian / big endian) of the dumping machine.
+ This refers to all fields that are saved as numbers and that span
+ over two or more bytes.
+
+ The approach of having each section saved in the native format of the
+ generating host is more efficient because it avoids translation of
+ data when reading / writing on the host itself, which is the most
+ common case when generating/processing capture dumps.
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 6]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ TODO Probably we have to specify something more here. Is what we're
+ saying enough to avoid any kind of ambiguity?.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 7]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+3. Block Definition
+
+ This section details the format of the body of the blocks currently
+ defined.
+
+3.1 Section Header Block (mandatory)
+
+ The Section Header Block is mandatory. It identifies the beginning of
+ a section of the capture dump file. Its format is shown in Figure 3.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Magic |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Major | Minor |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / Options (variable) /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 3: Section Header Block format.
+
+ The meaning of the fields is:
+
+ o Magic: magic number, whose value is the hexadecimal number
+ 0x1A2B3C4D. This number can be used to distinguish section that
+ have been saved on little-endian machines from the one saved on
+ big-endian machines.
+
+ o Major: number of the current mayor version of the format. Current
+ value is 1.
+
+ o Minor: number of the current minor version of the format. Current
+ value is 0.
+
+ o Options: optionally, a list of options (formatted according to the
+ rules defined in Section 4) can be present.
+
+ Aside form the options defined in Section 4, the following options
+ are valid within this block:
+
+ +----------------+----------------+----------------+----------------+
+ | Name | Code | Length | Description |
+ +----------------+----------------+----------------+----------------+
+ | Hardware | 2 | variable | An ascii |
+ | | | | string |
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 8]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ | | | | containing the |
+ | | | | description of |
+ | | | | the hardware |
+ | | | | used to create |
+ | | | | this section. |
+ | | | | |
+ | Operating | 3 | variable | An ascii |
+ | System | | | string |
+ | | | | containing the |
+ | | | | name of the |
+ | | | | operating |
+ | | | | system used to |
+ | | | | create this |
+ | | | | section. |
+ | | | | |
+ | User | 3 | variable | An ascii |
+ | Application | | | string |
+ | | | | containing the |
+ | | | | name of the |
+ | | | | application |
+ | | | | used to create |
+ | | | | this section. |
+ +----------------+----------------+----------------+----------------+
+
+ Table 1
+
+ The Section Header Block does not contain data but it rather
+ identifies a list of blocks (interfaces, packets) that are logically
+ correlated. This block does not contain any reference to the size of
+ the section it is currently delimiting, therefore the reader cannot
+ skip a whole section at once. In case a section must be skipped, the
+ user has to repeatedly skip all the blocks contained within it; this
+ makes the parsing of the file slower but it permits to append several
+ capture dumps at the same file.
+
+3.2 Interface Description Block (mandatory)
+
+ The Interface Description Block is mandatory. This block is needed to
+ specify the characteristics of the network interface on which the
+ capture has been made. In order to properly associate the captured
+ data to the corresponding interface, the Interface Description Block
+ must be defined before any other block that uses it; therefore, this
+ block is usually placed immediately after the Section Header Block.
+
+ An Interface Description Block is valid only inside the section which
+ it belongs to. The structure of a Interface Description Block is
+ shown in Figure 4.
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 9]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Interface ID | LinkType |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | SnapLen |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / Options (variable) /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 4: Interface Description Block format.
+
+ The meaning of the fields is:
+
+ o Interface ID: a progressive number that identifies uniquely any
+ interface inside current section. Two Interface Description Blocks
+ can have the same Interface ID only if they are in different
+ sections of the file. The Interface ID is referenced by the packet
+ blocks.
+
+ o LinkType: a value that defines the link layer type of this
+ interface.
+
+ o SnapLen: maximum number of bytes dumped from each packet. The
+ portion of each packet that exceeds this value will not be stored
+ in the file.
+
+ o Options: optionally, a list of options (formatted according to the
+ rules defined in Section 4) can be present.
+
+ In addition to the options defined in Section 4, the following
+ options are valid within this block:
+
+ +----------------+----------------+----------------+----------------+
+ | Name | Code | Length | Description |
+ +----------------+----------------+----------------+----------------+
+ | if_name | 2 | Variable | Name of the |
+ | | | | device used to |
+ | | | | capture data. |
+ | | | | |
+ | if_IPv4addr | 3 | 8 | Interface |
+ | | | | network |
+ | | | | address and |
+ | | | | netmask. |
+ | | | | |
+ | if_IPv6addr | 4 | 17 | Interface |
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 10]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ | | | | network |
+ | | | | address and |
+ | | | | prefix length |
+ | | | | (stored in the |
+ | | | | last byte). |
+ | | | | |
+ | if_MACaddr | 5 | 6 | Interface |
+ | | | | Hardware MAC |
+ | | | | address (48 |
+ | | | | bits). |
+ | | | | |
+ | if_EUIaddr | 6 | 8 | Interface |
+ | | | | Hardware EUI |
+ | | | | address (64 |
+ | | | | bits), if |
+ | | | | available. |
+ | | | | |
+ | if_speed | 7 | 8 | Interface |
+ | | | | speed (in |
+ | | | | bps). |
+ | | | | |
+ | if_tsaccur | 8 | 1 | Precision of |
+ | | | | timestamps. If |
+ | | | | the Most |
+ | | | | Significant |
+ | | | | Bit is equal |
+ | | | | to zero, the |
+ | | | | remaining bits |
+ | | | | indicates the |
+ | | | | accuracy as as |
+ | | | | a negative |
+ | | | | power of 10 |
+ | | | | (e.g. 6 means |
+ | | | | microsecond |
+ | | | | accuracy). If |
+ | | | | the Most |
+ | | | | Significant |
+ | | | | Bit is equal |
+ | | | | to zero, the |
+ | | | | remaining bits |
+ | | | | indicates the |
+ | | | | accuracy as as |
+ | | | | negative power |
+ | | | | of 2 (e.g. 10 |
+ | | | | means 1/1024 |
+ | | | | of second). If |
+ | | | | this option is |
+ | | | | not present, a |
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 11]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ | | | | precision of |
+ | | | | 10^-6 is |
+ | | | | assumed. |
+ | | | | |
+ | if_tzone | 9 | 4 | Time zone for |
+ | | | | GMT support |
+ | | | | (TODO: specify |
+ | | | | better). |
+ | | | | |
+ | if_flags | 10 | 4 | Interface |
+ | | | | flags. (TODO: |
+ | | | | specify |
+ | | | | better. |
+ | | | | Possible |
+ | | | | flags: |
+ | | | | promiscuous, |
+ | | | | inbound/outbou |
+ | | | | nd, traffic |
+ | | | | filtered |
+ | | | | during |
+ | | | | capture). |
+ | | | | |
+ | if_filter | 11 | variable | The filter |
+ | | | | (e.g. "capture |
+ | | | | only TCP |
+ | | | | traffic") used |
+ | | | | to capture |
+ | | | | traffic. The |
+ | | | | first byte of |
+ | | | | the Option |
+ | | | | Data keeps a |
+ | | | | code of the |
+ | | | | filter used |
+ | | | | (e.g. if this |
+ | | | | is a libpcap |
+ | | | | string, or BPF |
+ | | | | bytecode, and |
+ | | | | more). More |
+ | | | | details about |
+ | | | | this format |
+ | | | | will be |
+ | | | | presented in |
+ | | | | Appendix XXX |
+ | | | | (TODO). |
+ | | | | |
+ | if_opersystem | 12 | variable | An ascii |
+ | | | | string |
+ | | | | containing the |
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 12]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ | | | | name of the |
+ | | | | operating |
+ | | | | system of the |
+ | | | | machine that |
+ | | | | hosts this |
+ | | | | interface. |
+ | | | | This can be |
+ | | | | different from |
+ | | | | the same |
+ | | | | information |
+ | | | | that can be |
+ | | | | contained by |
+ | | | | the Section |
+ | | | | Header Block |
+ | | | | (Section 3.1) |
+ | | | | because the |
+ | | | | capture can |
+ | | | | have been done |
+ | | | | on a remote |
+ | | | | machine. |
+ +----------------+----------------+----------------+----------------+
+
+ Table 2
+
+
+3.3 Packet Block (optional)
+
+ A Packet Block is the standard container for storing the packets
+ coming from the network. The Packet Block is optional because packets
+ can be stored either by means of this block or the Simple Packet
+ Block, which can be used to speed up dump generation. The format of a
+ packet block is shown in Figure 5.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 13]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Interface ID | Drops Count |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Timestamp (High) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Timestamp (Low) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Captured Len |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Packet Len |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Packet Data |
+ | |
+ | /* variable length, byte-aligned */ |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / Options (variable) /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 5: Packet Block format.
+
+ The Packet Block has the following fields:
+
+ o Interface ID: Specifies the interface this packet comes from, and
+ corresponds to the ID of one of the Interface Description Blocks
+ present in this section of the file (see Figure 4).
+
+ o Drops Count: a local drop counter. It specified the number of
+ packets lost (by the interface and the operating system) between
+ this packet and the preceding one. The value xFFFF (in
+ hexadecimal) is reserved for those systems in which this
+ information is not available.
+
+ o Timestamp (High): the most significative part of the timestamp. in
+ standard Unix format, i.e. from 1/1/1970.
+
+ o Timestamp (Low): the less significative part of the timestamp. The
+ way to interpret this field is specified by the 'ts_accur' option
+ (see Figure 4) of the Interface Description block referenced by
+ this packet. If the Interface Description block does not contain a
+ 'ts_accur' option, then this field is expressed in microseconds.
+
+ o Captured Len: number of bytes captured from the packet (i.e. the
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 14]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ length of the Packet Data field). It will be the minimum value
+ among the actual Packet Length and the snapshot length (defined in
+ Figure 4).
+
+ o Packet Len: actual length of the packet when it was transmitted on
+ the network. Can be different from Captured Len if the user wants
+ only a snapshot of the packet.
+
+ o Packet Data: the data coming from the network, including
+ link-layer headers. The length of this field is Captured Len. The
+ format of the link-layer headers depends on the LinkType field
+ specified in the Interface Description Block (see Section 3.2) and
+ it is specified in Appendix XXX (TODO).
+
+ o Options: optionally, a list of options (formatted according to the
+ rules defined in Section 4) can be present.
+
+
+3.4 Simple Packet Block (optional)
+
+ The Simple Packet Block is a lightweight container for storing the
+ packets coming from the network. Its presence is optional.
+
+ A Simple Packet Block is similar to a Packet Block (see Section 3.3),
+ but it is smaller, simpler to process and contains only a minimal set
+ of information. This block is preferred to the standard Packet Block
+ when performance or space occupation are critical factors, such as in
+ sustained traffic dump applications. A capture file can contain both
+ Packet Blocks and Simple Packet Blocks: for example, a capture tool
+ could switch from Packet Blocks to Simple Packet Blocks when the
+ hardware resources become critical.
+
+ The Simple Packet Block does not contain the Interface ID field.
+ Therefore, it must be assumed that all the Simple Packet Blocks have
+ been captured on the interface previously specified in the Interface
+ Description Block.
+
+ Figure 6 shows the format of the Simple Packet Block.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 15]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Packet Len |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Packet Data |
+ | |
+ | /* variable length, byte-aligned */ |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 6: Simple Packet Block format.
+
+ The Packet Block has the following fields:
+
+ o Packet Len: actual length of the packet when it was transmitted on
+ the network. Can be different from captured len if the packet has
+ been truncated.
+
+ o Packet data: the data coming from the network, including
+ link-layers headers. The length of this field can be derived from
+ the field Block Total Length, present in the Block Header.
+
+ The Simple Packet Block does not contain the timestamp because this
+ is one of the most costly operations on PCs. Additionally, there are
+ applications that do not require it; e.g. an Intrusion Detection
+ System is interested in packets, not in their timestamp.
+
+ The Simple Packet Block is very efficient in term of disk space: a
+ snapshot of length 100 bytes requires only 16 bytes of overhead,
+ which corresponds to an efficiency of more than 86%.
+
+3.5 Name Resolution Block (optional)
+
+ The Name Resolution Block is used to support the correlation of
+ numeric addresses (present in the captured packets) and their
+ corresponding canonical names and it is optional. Having the literal
+ names saved in the file, this prevents the need of a name resolution
+ in a delayed time, when the association between names and addresses
+ can be different from the one in use at capture time. Moreover, The
+ Name Resolution Block avoids the need of issuing a lot of DNS
+ requests every time the trace capture is opened, and allows to have
+ name resolution also when reading the capture with a machine not
+ connected to the network.
+
+ The format of the Name Resolution Block is shown in Figure 7.
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 16]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record Type | Record Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record Value |
+ | /* variable length, byte-aligned */ |
+ | + + + + + + + + + + + + + + + + + + + + + + + + +
+ | | | | |
+ +-+-+-+-+-+-+-+-+ + + + + + + + + + + + + + + + + + + + + + + + +
+ . . . other records . . .
+ | Record Type == end_of_recs | Record Length == 00 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / Options (variable) /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 7: Name Resolution Block format.
+
+ A Name Resolution Block is a zero-terminated list of records (in the
+ TLV format), each of which contains an association between a network
+ address and a name. There are three possible types of records:
+
+ +----------------+----------------+----------------+----------------+
+ | Name | Code | Length | Description |
+ +----------------+----------------+----------------+----------------+
+ | end_of_recs | 0 | 0 | End of records |
+ | | | | |
+ | ip4_rec | 1 | Variable | Specifies an |
+ | | | | IPv4 address |
+ | | | | (contained in |
+ | | | | the first 4 |
+ | | | | bytes), |
+ | | | | followed by |
+ | | | | one or more |
+ | | | | zero-terminate |
+ | | | | d strings |
+ | | | | containing the |
+ | | | | DNS entries |
+ | | | | for that |
+ | | | | address. |
+ | | | | |
+ | ip6_rec | 1 | Variable | Specifies an |
+ | | | | IPv6 address |
+ | | | | (contained in |
+ | | | | the first 16 |
+ | | | | bytes), |
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 17]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ | | | | followed by |
+ | | | | one or more |
+ | | | | zero-terminate |
+ | | | | d strings |
+ | | | | containing the |
+ | | | | DNS entries |
+ | | | | for that |
+ | | | | address. |
+ +----------------+----------------+----------------+----------------+
+
+ Table 3
+
+ After the list or Name Resolution Records, optionally, a list of
+ options (formatted according to the rules defined in Section 4) can
+ be present.
+
+ A Name Resolution Block is normally placed at the beginning of the
+ file, but no assumptions can be taken about its position. Name
+ Resolution Blocks can be added in a second time by tools that process
+ the file, like network analyzers.
+
+ In addiction to the options defined in Section 4, the following
+ options are valid within this block:
+
+ +----------------+----------------+----------------+----------------+
+ | Name | Code | Length | Description |
+ +----------------+----------------+----------------+----------------+
+ | ns_dnsname | 2 | Variable | An ascii |
+ | | | | string |
+ | | | | containing the |
+ | | | | name of the |
+ | | | | machine (DNS |
+ | | | | server) used |
+ | | | | to perform the |
+ | | | | name |
+ | | | | resolution. |
+ +----------------+----------------+----------------+----------------+
+
+
+3.6 Interface Statistics Block (optional)
+
+ The Interface Statistics Block contains the capture statistics for a
+ given interface and it is optional. The statistics are referred to
+ the interface defined in the current Section identified by the
+ Interface ID field.
+
+ The format of the Interface Statistics Block is shown in Figure 8.
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 18]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IfRecv |
+ | (high + low) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IfDrop |
+ | (high + low) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FilterAccept |
+ | (high + low) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | OSDrop |
+ | (high + low) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | UsrDelivered |
+ | (high + low) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Interface ID | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / Options (variable) /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 8: Interface Statistics Block format.
+
+ The fields have the following meaning:
+
+ o IfRecv: number of packets received from the interface during the
+ capture. This number is reported as a 64 bits value, in which the
+ most significat bits are located in the first four bytes of the
+ field.
+
+ o IfDrop: number of packets dropped by the interface during the
+ capture due to lack of resources.
+
+ o FilterAccept: number of packets accepeted by filter during current
+ capture.
+
+ o OSDrop: number of packets dropped by the operating system during
+ the capture.
+
+ o UsrDelivered: number of packets delivered to the user.
+ UsrDelivered can be different from the value 'FilterAccept -
+ OSDropped' because some packets could still lay in the OS buffers
+ when the capture ended.
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 19]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ o Interface ID: reference to an Interface Description Block.
+
+ o Reserved: Reserved to future use.
+
+ o Options: optionally, a list of options (formatted according to the
+ rules defined in Section 4) can be present.
+
+ In addiction to the options defined in Section 4, the following
+ options are valid within this block:
+
+ +----------------+----------------+----------------+----------------+
+ | Name | Code | Length | Description |
+ +----------------+----------------+----------------+----------------+
+ | isb_starttime | 2 | 8 | Time in which |
+ | | | | the capture |
+ | | | | started; time |
+ | | | | will be stored |
+ | | | | in two blocks |
+ | | | | of four bytes |
+ | | | | each, |
+ | | | | containing the |
+ | | | | timestamp in |
+ | | | | seconds and |
+ | | | | nanoseconds. |
+ | | | | |
+ | isb_endtime | 3 | 8 | Time in which |
+ | | | | the capture |
+ | | | | started; time |
+ | | | | will be stored |
+ | | | | in two blocks |
+ | | | | of four bytes |
+ | | | | each, |
+ | | | | containing the |
+ | | | | timestamp in |
+ | | | | seconds and |
+ | | | | nanoseconds. |
+ +----------------+----------------+----------------+----------------+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 20]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+4. Options
+
+ Almost all blocks have the possibility to embed optional fields.
+ Optional fields can be used to insert some information that may be
+ useful when reading data, but that it is not really needed for packet
+ processing. Therefore, each tool can be either read the content of
+ the optional fields (if any), or skip them at once.
+
+ Skipping all the optional fields at once is straightforward because
+ most of the blocks have a fixed length, therefore the field Block
+ Length (present in the General Block Structure, see Section 2.1) can
+ be used to skip everything till the next block.
+
+ Options are a list of Type - Length - Value fields, each one
+ containing a single value:
+
+ o Option Type (2 bytes): it contains the code that specifies the
+ type of the current TLV record. Option types whose Most
+ Significant Bit is equal to one are reserved for local use;
+ therefore, there is no guarantee that the code used is unique
+ among all capture files (generated by other applications). In case
+ of vendor-specific extensions that have to be identified uniquely,
+ vendors must request an Option Code whose MSB is equal to zero.
+
+ o Option Length (2 bytes): it contains the length of the following
+ 'Option Value' field.
+
+ o Option Value (variable length): it contains the value of the given
+ option. The length of this field as been specified by the Option
+ Length field.
+
+ Options may be repeated several times (e.g. an interface that has
+ several IP addresses associated to it). The option list is terminated
+ by a special code which is the 'End of Option'.
+
+ The format of the optional fields is shown in Figure 9.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 21]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Code | Option Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Value |
+ | /* variable length, byte-aligned */ |
+ | + + + + + + + + + + + + + + + + + + + + + + + + +
+ | / / / |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / /
+ / . . . other options . . . /
+ / /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Code == opt_endofopt | Option Length == 0 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 9: Options format.
+
+ The following codes can always be present in any optional field:
+
+ +----------------+----------------+----------------+----------------+
+ | Name | Code | Length | Description |
+ +----------------+----------------+----------------+----------------+
+ | opt_endofopt | 0 | 0 | End of |
+ | | | | options: it is |
+ | | | | used to |
+ | | | | delimit the |
+ | | | | end of the |
+ | | | | optional |
+ | | | | fields. This |
+ | | | | block cannot |
+ | | | | be repeated |
+ | | | | within a given |
+ | | | | list of |
+ | | | | options. |
+ | | | | |
+ | opt_comment | 1 | variable | Comment: it is |
+ | | | | an ascii |
+ | | | | string |
+ | | | | containing a |
+ | | | | comment that |
+ | | | | is associated |
+ | | | | to the current |
+ | | | | block. |
+ +----------------+----------------+----------------+----------------+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 22]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+5. Experimental Blocks (deserved to a further investigation)
+
+5.1 Other Packet Blocks (experimental)
+
+ Can some other packet blocks (besides the two described in the
+ previous paragraphs) be useful?
+
+5.2 Compression Block (experimental)
+
+ The Compression Block is optional. A file can contain an arbitrary
+ number of these blocks. A Compression Block, as the name says, is
+ used to store compressed data. Its format is shown in Figure 10.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Compr. Type | |
+ +-+-+-+-+-+-+-+-+ |
+ | |
+ | Compressed Data |
+ | |
+ | /* variable length, byte-aligned */ |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 10: Compression Block format.
+
+ The fields have the following meaning:
+
+ o Compression Type: specifies the compression algorithm. Possible
+ values for this field are 0 (uncompressed), 1 (Lempel Ziv), 2
+ (Gzip), other?? Probably some kind of dumb and fast compression
+ algorithm could be effective with some types of traffic (for
+ example web), but which?
+
+ o Compressed Data: data of this block. Once decompressed, it is made
+ of other blocks.
+
+
+5.3 Encryption Block (experimental)
+
+ The Encryption Block is optional. A file can contain an arbitrary
+ number of these blocks. An Encryption Block is used to sotre
+ encrypted data. Its format is shown in Figure 11.
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 23]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Encr. Type | |
+ +-+-+-+-+-+-+-+-+ |
+ | |
+ | Compressed Data |
+ | |
+ | /* variable length, byte-aligned */ |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 11: Encryption Block format.
+
+ The fields have the following meaning:
+
+ o Compression Type: specifies the encryption algorithm. Possible
+ values for this field are ??? NOTE: this block should probably
+ contain other fields, depending on the encryption algorithm. To be
+ define precisely.
+
+ o Encrypted Data: data of this block. Once decripted, it consists of
+ other blocks.
+
+
+5.4 Fixed Length Block (experimental)
+
+ The Fixed Length Block is optional. A file can contain an arbitrary
+ number of these blocks. A Fixed Length Block can be used to optimize
+ the access to the file. Its format is shown in Figure 12. A Fixed
+ Length Block stores records with constant size. It contains a set of
+ Blocks (normally Packet Blocks or Simple Packet Blocks), of wihich it
+ specifies the size. Knowing this size a priori helps to scan the file
+ and to load some portions of it without truncating a block, and is
+ particularly useful with cell-based networks like ATM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 24]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Cell Size | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+ | |
+ | Fixed Size Data |
+ | |
+ | /* variable length, byte-aligned */ |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 12: Fixed Length Block format.
+
+ The fields have the following meaning:
+
+ o Cell size: the size of the blocks contained in the data field.
+
+ o Fixed Size Data: data of this block.
+
+
+5.5 Directory Block (experimental)
+
+ If present, this block contains the following information:
+
+ o number of indexed packets (N)
+
+ o table with position and length of any indexed packet (N entries)
+
+ A directory block must be followed by at least N packets, otherwise
+ it must be considered invalid. It can be used to efficiently load
+ portions of the file to memory and to support operations on memory
+ mapped files. This block can be added by tools like network analyzers
+ as a consequence of file processing.
+
+5.6 Traffic Statistics and Monitoring Blocks (experimental)
+
+ One or more blocks could be defined to contain network statistics or
+ traffic monitoring information. They could be use to store data
+ collected from RMON or Netflow probes, or from other network
+ monitoring tools.
+
+5.7 Event/Security Block (experimental)
+
+ This block could be used to store events. Events could contain
+ generic information (for example network load over 50%, server
+ down...) or security alerts. An event could be:
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 25]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ o skipped, if the application doesn't know how to do with it
+
+ o processed independently by the packets. In other words, the
+ applications skips the packets and processes only the alerts
+
+ o processed in relation to packets: for example, a security tool
+ could load only the packets of the file that are near a security
+ alert; a monitorg tool could skip the packets captured while the
+ server was down.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 26]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+6. Conclusions
+
+ The file format proposed in this document should be very versatile
+ and satisfy a wide range of applications. In the simplest case, it
+ can contain a raw dump of the network data, made of a series of
+ Simple Packet Blocks. In the most complex case, it can be used as a
+ repository for heterogeneous information. In every case, the file
+ remains easy to parse and an application can always skip the data it
+ is not interested in; at the same time, different applications can
+ share the file, and each of them can benfit of the information
+ produced by the others. Two or more files can be concatenated
+ obtaining another valid file.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 27]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+7. Most important open issues
+
+ o Data, in the file, must be byte or word aligned? Currently, the
+ structure of this document is not consistent with respect to this
+ point.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 28]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assignees.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 29]
+
+Internet-Draft PCAP New Generation Dump File Format March 2004
+
+
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Degioanni & Risso Expires August 30, 2004 [Page 30]
+
OpenPOWER on IntegriCloud