Wireshark-dev: Re: [Wireshark-dev] What is the history and status of PCAP Next Generation?

From: Tyson Key <tyson.key@xxxxxxxxx>
Date: Wed, 9 Oct 2013 19:23:25 +0100
Apologies for the thread hijacking...

For what it's worth, I've just had a play with the latest build of CommView (6.5, build 734), and it seems to have basic support for writing PCAP-NG files. (Emits no packet comments, and doesn't use any nifty features like storing application/machine info).

Since I haven't got a tool for reverse-engineering PCAP-NG traces handy (other than looking at strings in a text editor), I'm assuming that they're generating very bare-bones IDBs, and using (Simple?) Packet Blocks for storing the packet data. I don't know if it'll preserve unrecognised block/field types, or comments, either.

From testing with some of the traces that I've attached to bug reports related to CommView .NCF support in Wireshark, it seems that I can export Ethernet packets with full fidelity; although exporting 802.11 captures is a lossy process (the RSSI, band/frequency, and bandwidth/link speed field values are lost).

In fact, it seems that even though the .NCF format supports multiple link layer types (and converting 802.11-only captures works fine), attempting to export a sample file containing 802.11, Ethernet, and Token Ring packets to PCAP-NG results in a useless file with all of the packets assigned to a single interface with an Ethernet link type.
 
So I guess that it's a good start from the TamoSoft folks - but they've got a little more work to do, before they can call their product fully-interoperable with PCAP-NG.

I still don't know if any of MS's offerings support writing files in this format, though.

Tyson. 


2013/10/9 Jasper Bongertz <jasper.sharklists@xxxxxxxxxxxxxx>
Sorry to answer this late; I saw this email a week ago but didn't
manage to reply - the todo got swapped out but never swapped in again.
Graham gave me a heads up (that I didn't see until now, either,
*sigh*), so here I go.

>>  Q2: What is the status of pcap-ng?
>>
>>      * "it works fine, everyone's using it, it just isn't an RFC"
>>   or * "it's an abandoned effort, plain pcap is good enough"
>>   or * "all development has moved to X, take a look at X"

> "It works fine, some software's using it, and there's no RFC for
> pcap format, either, although there probably should be informative
> RFCs for both of them at some point."

At Sharkfest 2013 we (me, plus the Wireshark devs that were "in
range") had a impromptu meeting regarding the status of the PCAP-ng
specifications.

I offered to see if we can go in the direction of an RFC, but got a
bit sidetracked. I had checked how the procedures work in July/August, but
at the time the RFC submission process was closed for new submissions.
It should be open again by now, so I'll try to go forward asap.

Oh, and regarding the status of PCAP-ng I'd say it is more like "a
couple of tools are using it, but most are still stuck on pcap for
whatever  reason."

Cheers,
Jasper


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



--
                                          Fight Internet Censorship! http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844