Wireshark-bugs: [Wireshark-bugs] [Bug 3096] Ability to annotate packet captures

Date: Thu, 4 Dec 2008 16:42:32 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3096


Guy Harris <guy@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Platform|PC                          |All




--- Comment #1 from Guy Harris <guy@xxxxxxxxxxxx>  2008-12-04 16:42:30 PDT ---
No protocol analyzer I know of will just ignore packets with a special network
type as not understood.  What they'll do with them depends on the analyzer.

A packet time stamp of 0 means January 1, 1970, 00:00:00 GMT, so, while it's
unlikely, it's not invalid - and it's likely to confuse the heck out of
applications that don't know about it (i.e., anything that can read a libpcap
file, including existing versions of Wireshark, tcpdump, snort, etc.).

Not all link-layer types have a type value, and there aren't necessarily any
"can never occur on the wire" types for a given link-layer type.  We could try
to register our own Ethernet type (just as I *hope* Microsoft did for the fake
Ethernet type they use in Network Monitor files for statistics and the like),
although that only handles Ethernet and LAN types using 802.2; it won't handle,
for example, PPP.

The ultimate correct answer is pcap-NG:

    http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

which already defines a comment option, containing a UTF-8 text string, which
can be attached to a number of record types including packet records.

Unfortunately, libpcap doesn't support pcap-NG, so many other applications,
including tcpdump, don't support it, and Wireshark's support is limited, so
it's not ready for this yet.

The PPI link-layer type:

    http://www.cacetech.com/documents/PPI_Header_format_1.0.1.pdf

could perhaps be extended for this; unfortunately, that can't be read by all
applications that handle libpcap files, so it's not much better than pcap-NG in
terms of compatibility.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.