----- Original Message -----
From: "Harley Stenzel" <[EMAIL PROTECTED]>
To: <tcpdump-workers@lists.tcpdump.org>
Sent: Monday, December 04, 2006 1:30 PM
Subject: Re: [tcpdump-workers] pcap files with file header snaplen < packet
On 12/4/06, Gerald Combs <[EMAIL PROTECTED]> wrote:
Harley Stenzel wrote:
> Looking forward, however, it would be helpful if the libpcap file
> format provided a way to tag the source of the captured packet, so
> that merged files do not loose information.
NTAR supports this:
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionpb
It certainly does, but it expired more than 2 years ago. Is it still
active?
Although the draft expired 2 yrs ago, and I released some update to the NTAR
code back in february, the project is still alive. The new file format has
not been integrated into wireshark or libpcap/tcpdump yet (on my side mainly
because of lack of time), but the ntar library has been used quite a lot in
some avionics products
http://www.gefanucembedded.com/products/1044
http://www.gefanucembedded.com/products/1069
(in fact, if you look at appendix B,
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#appendixBlockCodes,
there are some references to some new blocks).
Personally I plan to work a bit on it in the christmas holidays and release
a new version of ntar that includes some tools to convert to/from the pcap
format.
I don't know if this answers to your question.
Have a nice day
GV
--Harley
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
