Gerald Combs schrieb:
Pekka Pietikainen wrote:
Oh. If you add a new DLT_ value, having it in a way that is extensible
+ has a way of saying "Here's the raw packet data. It's plain old
DLT_EN10MB". And the next one might be 802.11 and the next one 802.11 with
a radiotap header.
Ugliest hack I've seen for a quite a while ;-)
The Per-Packet Information header (PPI) does exactly that:
http://www.cacetech.com/documents/
Hmmm, after I took a deep look at the pcapng format I guess this would
be the way to go for me. As it contains all stuff that I need (and some
optional stuff that I don't need to implement as a first step) ;-)
There are things that PPI is missing, e.g. meta information if captured
from more than one capture interface (which is one of the things I need
first).
I see that bringing pcapng to life in Wireshark will be some effort to
do. However, I tend to do things right so I can build on that cleanly.
So what's the state of pcapng? The spec seems ok, at least for the parts
I'm interested in. Is there a "real world" implementation (except for
the ntar library, which is low level "only")? Are there some example
capture files somewhere?
Regards, ULFL