Ethereal-dev: [Ethereal-dev] Re: [tcpdump-workers] New capture file format ideas?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 14 Jul 2001 20:19:17 -0400
>>>>> "Darren" == Darren Reed <darrenr@xxxxxxxxxxxxxxxxx> writes:
    Darren> I'm not sure if Jason Thorpe (NetBSD) has caught up with this
    Darren> list but in discussions with him, he's raised the prospect of
    Darren> using the tcpdump save file as the format to be used for
    Darren> generating log records from the kernel when doing packet
    Darren> filtering.  The ideas below are my own on this subject but I
    Darren> would hope some of them coincide with Jason's.  If you were using
    Darren> IP Filter, the idea is you could do this:

  This message has been sitting in my inbox for months...

    Darren> fields which we think will be "the limit" on what's needed and
    Darren> the second is to support the insertion of extra meta-data between
    Darren> the tcpdump header record and the actual packet.  Two extra
    Darren> fields would be required for the second method, one to say "what
    Darren> type" of meta data is following and the second would be "how
    Darren> much" extra meta data is there.

  I favour a magic number bump, to include this meta data, and then include
a simple length of extra data, IP option-like (well, more IFF-like).

    Darren> To give you an idea of what extra fields would be required for
    Darren> ipfilter logging if it used tcpdump are: - repitition count (for
    Darren> identical packets logged sequentially) - interface name and
    Darren> number - syslog facility and priority - rule number - group
    Darren> number - flags associated with the packet (pass/block, etc) -
    Darren> global logging flags set

  Some of these would be useful for tcpdump output as well:
       - interface name + number
       - rule number	(requires a definition of rule numbers for
			tcpdump input. I'd call each disjoint clause
			a rule)

    Darren> much extra information into the tcpdump log file, explicitly
    Darren> especially as it constrains the applications using it.  Then
    Darren> again, I'm not so sure tcpdump needs more magic numbers either...

  Agreed.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [