Hi,
Having spent some time looking at the implementation of handling pcap-ng files in Wireshark I think we have to
decide on how to handle the none packet blocks:
Section Header Block SHB
Interface Description Block IDB
Name Resolution Block NRB
Interface Statistics Block ISB
As it is now we hide the existence of these blocks and try to handle them behind the scenes, but we don't handle writing them back out again in a good way.
What would be the expected behavior filtering a pckap-ng capture should all the ISB:s be preserved, even if all the packets in between are gone?
- Would it make sense to stick SHB IDB NRB and ISB:s into the packet list some how and have them "dissected" as a packet frame? (or just a subset)
They could be dissected as a "frame" with more or less data shown.
- Put them in frame data with a block type, but don't show them, messes up frame number I suppose.
- Continue to try to handle them separately. But showing the ISB at the place it occured might make sense.
- ?
At the moment actually having them in the packet list appeals to me but there is probably a downside and I don't know how big the design effort would be.
Comments? Other ideas?
Regards
Anders
