On Oct 28, 2012, at 11:22 AM, Martin Kaiser <lists@xxxxxxxxx> wrote:
> The solution we came up with is to have one DLT. The pcap packet data
> consists of a pseudo-header and the actual bytes that are transfered.
> The dissector picks up the direction from the pseudo-header.
> The capturing tool has to create the pseudo header for every packet it
> captures.
I would also recommend that solution. The epb_flags field in pcap-ng is available only in pcap-ng, so critical information would be lost if, for whatever reason, the capture were written in a pcap file or converted from pcap-ng to pcap; in addition, I view it as indicating the packet's direction relative to the interface receiving it, which might represent a direction if the interface is a "live" interface on the capturing machine, but wouldn't do so if the machine is passively tapping a link, so I see epb_flags and pseudo-header directional information as separate.
Of the alternatives Andrew cited, 1) is, as he says, a bit heavy-handed, and 3) is a bit clunky *and* runs the risk that a user might destroy the information if they edit the comment. 4) probably is a bad idea for the reason Andrew gives.
