Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 22 Jul 2019 11:26:05 -0700
On Jul 22, 2019, at 8:27 AM, Holger Pfrommer <HPfrommer@xxxxxxxxxxxx> wrote:

> thanks for your clarification. So I assume pcapng would be a good future-proof choice.

...as would adding a new link-layer header type, which would be supported in both pcap and pcapng.

> Which leads to the next question. When I put a vendor-specific options block to an EPB, how would I be able to dissect this in my dissector?

That would require changes to the pcapng file-reading code and to the dissection code.  The problem is that the routines that read records from a capture file don't have a mechanism to provide a complete list of options to the code calling those routines (not even for *standard* options); this needs to be fixed, but hasn't been fixed yet.

A new link-layer header type would be easier to support with the current code base.