Wireshark-dev: Re: [Wireshark-dev] Enhanced PCAP-NG dissection
From: Anders Broman <[email protected]>
Date: Wed, 17 Apr 2013 18:25:15 +0000



>From: [email protected] [mailto:[email protected]] On Behalf Of Brandon Carpenter
>Sent: den 17 april 2013 20:11
>To: [email protected]
>Subject: [Wireshark-dev] Enhanced PCAP-NG dissection


>I just posted a patch to improve dissection of PCAP-NG captures.  Below is the introductory paragraph describing the issues the patch addresses.  See Bug 8590 for more information and for the >patch.  I am looking forward to feedback.

>The current processing of PCAP-NG has limitations that are addressed by the attached patches. First, dissection of the PCAP-NG blocks is occurring in the wiretap library instead of the wireshark >library where dissection errors are less likely to cause problems. Second, it is difficult to present any data other than real packet data to the dissection engine. Third, multiple section header blocks are not >supported. Finally, there is no way to add additional block types and/or options via a plug-in dissector. 


I’m not sure that adding the ability to read new block types or options via a plugin is a good idea.  If new options or block types are needed the PCAP-NG specification should be updated

With them and Wireshark enhanced to read them. Having plugins might encourage people to change the format in incompatible ways. If proprietary solutions are needed one could

Invent a generic proprietary block format with a vendor id and opaque content.

Just my 2 c




>Thank you,
>Brandon Carpenter