Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] PCAP File Question

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 2 Dec 2008 11:04:41 -0800


On Dec 2, 2008, at 5:55 AM, Barry Constantine wrote:
My company builds hardware based network analyzers and we are going to capture 1G/10G line rate and store in native pcap format.
If possible, it would be beneficial for us to store some extra information in the packet headers that is unique to our ability to use custom NIC hardware (FCS errors, collisions, etc..).
I looked at the PCAP format and am thinking there are no spare bits / fields to accomplish this. We do plan to enable nsec timestamp option.
Can anyone tell me if there is a way to store additional information in the pcap file (per packet) that would not cause problems for normal Wireshark decoding?
One possibility might be to use the DLT_PPI link-layer type and add Ethernet packet information: 

	http://www.cacetech.com/documents/PPI_Header_format_1.0.1.pdf
The ideal would be to use pcap-NG, but using PPI might at least be a good near-term fix.
  • References:
    • [Wireshark-dev] PCAP File Question
      • From: Barry Constantine
  • Prev by Date: Re: [Wireshark-dev] PCAP File Question
  • Next by Date: Re: [Wireshark-dev] Generic Dissector
  • Previous by thread: [Wireshark-dev] PCAP File Question
  • Next by thread: [Wireshark-dev] How to share enhanced plugin
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation