Wireshark-bugs: [Wireshark-bugs] [Bug 3096] Ability to annotate packet captures

Date: Fri, 6 Jan 2012 02:23:09 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3096

--- Comment #6 from Guy Harris <guy@xxxxxxxxxxxx> 2012-01-06 02:23:06 PST ---
(In reply to comment #4)
> (In reply to comment #3)
> Tha's a shame. I'd assumed that pcap files were "packet type" agnostic i.e.
> there could be a mix of packets with any type of protocol (with some internal
> packet identifying header preceding them), so inserting an 802.2 "comment"
> packet within a file containing e.g. ppp frames, would still be ok. By the
> sounds of what you're saying, the capture file has a header that specifies that
> all the contained packets are of the same general type. Is that the case?

Yes, pcap files *do* have a link-layer header type value in the file header; it
applies to all packets in the capture.  pcap files are *not* "packet type"
(link-layer header type) agnostic.

pcap-NG files have, instead, Interface Description Block records that contain a
link-layer header type value for all packets from that interface, and not all
IDBs have to have the same link-layer header type.  However, pcap-NG files
*also* have a "comment" optional attribute that can be attached to many record
types, including the Packet Block and Enhanced Packet Block that would normally
be used for packets, so there's no need to do any tricks to support per-packet
comments in pcap-NG files.

(FYI, both pcap and pcap-NG link-layer header type values come from the set of
values described at

    http://www.tcpdump.org/linktypes.html

.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.