Wireshark-bugs: [Wireshark-bugs] [Bug 3096] Ability to annotate packet captures

Date: Fri, 6 Jan 2012 02:30:52 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3096

--- Comment #7 from Guy Harris <guy@xxxxxxxxxxxx> 2012-01-06 02:30:52 PST ---
(In reply to comment #5)
> I think it wuold be more practical to save the comments in a separate file near
> the capture file and load it automatically while loading the capture file.

Such a scheme has a number of advantages, not the least of which is that, as
you note, saving an immensely large capture file to which you've added one
comment in one frame could take a *long* time (and, given that we would do
"save to a temporary file and once that's done rename it on top of the original
file" safe-save - not that, given that the packet data we're saving is read
from the original file, we would have any *choice* about that - could also take
a significant amount of extra disk space as well).

It also has the advantage that it can be used to annotate *any* capture file
type.

(Gee, maybe we should store them in some alternate data stream, such as the
resource fork if we're running on Mac OS X or on an NTFS stream or ZFS/NFSv4
"extended attribute" - note that ZFS/NFSv4 "extended attributes" aren't little
attributes, they're full-blown alternate data streams - if they're available in
the OS and file system. *ducks*)

However, given that pcap-NG file format *and* Network Monitor file format (and
possibly some other file formats) support comments in the file itself, even if
we support the separate file, we should also support writing out the comments
in the original file, for the benefit of tools that *don't* understand capnote
files.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.