Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] PCAP File Question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 2 Dec 2008 11:04:41 -0800

On Dec 2, 2008, at 5:55 AM, Barry Constantine wrote:

My company builds hardware based network analyzers and we are going to capture 1G/10G line rate and store in native pcap format.

If possible, it would be beneficial for us to store some extra information in the packet headers that is unique to our ability to use custom NIC hardware (FCS errors, collisions, etc..).

I looked at the PCAP format and am thinking there are no spare bits / fields to accomplish this. We do plan to enable nsec timestamp option.

Can anyone tell me if there is a way to store additional information in the pcap file (per packet) that would not cause problems for normal Wireshark decoding?

One possibility might be to use the DLT_PPI link-layer type and add Ethernet packet information:

	http://www.cacetech.com/documents/PPI_Header_format_1.0.1.pdf

The ideal would be to use pcap-NG, but using PPI might at least be a good near-term fix.