> > Given all the desirable options people are looking for in this, and the > > need for future growth, I think we should seriously consider an > > XML-based format. Besides making it easy, format-wise, to include many > > optional features and types of metadata, programs could also embed > > decoded frame and protocol information in appropriate elements, right > > within the capture file. > > > > <capture ...> > > <!-- a decoded frame --> > > <frame timestamp='1081896827.110627' length='142' snaplen='70'> > > <ethernet src='00:03:47:01:02:03' dst='00:03:47:04:05:06' > > type='0x0800'> > > 0003470102030003470405060800 > > </ethernet> > > <ip vers='4' hlen='20' ... flags='0x04' ... proto='17'> > > 45000080... > > <udp sport='781' dport='2049' cksum='0xae49'> > > 030d0801... > > <nfs op='READ' fh='0130493022...' offset='16384'> > > ... > > </nfs> > > </udp> > > </ip> > > </frame> > >
Please no. All programs reading pcap files through the pcap library will know how to translate the capture file into a dissected list of packets. If this is absolutely necessary it can be done really well by an external tool thant reads a pcap file and expands it 1000 times into an xml file. It does not have to be implemented inside pcap. NO xml in the kernel where pcap lives. Also, some people actually work with pretty large files containint 10's of milions of packets. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
