On Nov 11, 2010, at 7:30 PM, Jouni Malinen wrote:
> This looks somewhat better than the picture I got from the wiki page
> (http://wiki.wireshark.org/Development/PcapNg) which seemed to
> indicate that only Ethernet link type would be supported. Though, the
> per-packet opt_comment part would likely be the area that I would
> really need to get shown in Wireshark.. And with that, the
> "materialize" would probably be defined as "getting per-packet
> opt_comment showing up in Wireshark" in near future. Looks like I'll
> need to take a closer look at the current implementation then.
If you do it, please make it agnostic to the file format, or at least easy to patch for other file formats. Wireshark supports reading/writing multiple file formats, some of which also support per-packet comments, so it would be really nice to be able to let them all do so without too much work. Just my 2 cents.
> This would likely not be suitable for the
> annotation-as-a-bogus-frame-from-kernel part, so the question about
> radiotap/IEEE 802.11 frame extension with vendor-specific contents
> (OUI/subtype used) would probably still be something that would be
> nice to get resolved. For expert info, I'd guess it could be encoded
> somehow in opt_comment.
I was wondering if anyone else had that type of idea - I've often thought Wireshark could just ask IEEE for an OUI (or ask Cace for a number within Cace's OUI), and make fake Ethernet frames using that OUI in the src/dest MAC addresses to contain meta-data such as comments. But it's really a hack, and would only work for capture files containing frame types that have MAC addresses. Seems like a bad idea in the long term. :(
-hadriel
