Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] PCAP-NG Block Formats

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 10 Jun 2016 17:18:16 -0700
On Jun 10, 2016, at 4:09 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> The spec should discuss that more, including emphasizing that a reader must pay attention to the block total length when processing options - or deciding whether there are any options to process.  I'll look at doing that.

OK, the spec now says

	All the block bodies MAY embed optional fields.  Optional fields can be used to insert some information that may be useful when reading data, but that is not really needed for packet processing. Therefore, each tool can either read the content of the optional fields (if any), or skip some of them or even all at once.
        
	Skipping all the optional fields at once is straightforward because most of the blocks are made of a first part with fixed format, and a second optional part. Therefore, the Block Length field (present in the General Block Structure, see Section 3.1) can be used to determine how many bytes of optional fields, if any, are present in the block. That value can be used to determine whether the block has optional fields (if it is zero, there are no optional fields), to check, when processing optional fields, whether any optional fields remain, and to skip all the optional fields.