mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-19 10:53:58 +00:00
1681 lines
63 KiB
Plaintext
1681 lines
63 KiB
Plaintext
|
||
|
||
Network Working Group L. Degioanni
|
||
Internet-Draft F. Risso
|
||
Expires: August 30, 2004 Politecnico di Torino
|
||
March 2004
|
||
|
||
|
||
PCAP New Generation Dump File Format
|
||
pcap
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with
|
||
all provisions of Section 10 of RFC2026.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that other
|
||
groups may also distribute working documents as Internet-Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at http://
|
||
www.ietf.org/ietf/1id-abstracts.txt.
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
This Internet-Draft will expire on August 30, 2004.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||
|
||
Abstract
|
||
|
||
This document describes a format to dump captured packets on a file.
|
||
This format is extensible and it is currently proposed for
|
||
implementation in the libpcap/WinPcap packet capture library.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 1]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||
2. General File Structure . . . . . . . . . . . . . . . . . . . . 4
|
||
2.1 General Block Structure . . . . . . . . . . . . . . . . . . . 4
|
||
2.2 Block Types . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||
2.3 Block Hierarchy and Precedence . . . . . . . . . . . . . . . . 5
|
||
2.4 Data format . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
||
3. Block Definition . . . . . . . . . . . . . . . . . . . . . . . 8
|
||
3.1 Section Header Block (mandatory) . . . . . . . . . . . . . . . 8
|
||
3.2 Interface Description Block (mandatory) . . . . . . . . . . . 9
|
||
3.3 Packet Block (optional) . . . . . . . . . . . . . . . . . . . 13
|
||
3.4 Simple Packet Block (optional) . . . . . . . . . . . . . . . . 15
|
||
3.5 Name Resolution Block (optional) . . . . . . . . . . . . . . . 16
|
||
3.6 Interface Statistics Block (optional) . . . . . . . . . . . . 18
|
||
4. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
|
||
5. Experimental Blocks (deserved to a further investigation) . . 23
|
||
5.1 Other Packet Blocks (experimental) . . . . . . . . . . . . . . 23
|
||
5.2 Compression Block (experimental) . . . . . . . . . . . . . . . 23
|
||
5.3 Encryption Block (experimental) . . . . . . . . . . . . . . . 23
|
||
5.4 Fixed Length Block (experimental) . . . . . . . . . . . . . . 24
|
||
5.5 Directory Block (experimental) . . . . . . . . . . . . . . . . 25
|
||
5.6 Traffic Statistics and Monitoring Blocks (experimental) . . . 25
|
||
5.7 Event/Security Block (experimental) . . . . . . . . . . . . . 25
|
||
6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 27
|
||
7. Most important open issues . . . . . . . . . . . . . . . . . . 28
|
||
Intellectual Property and Copyright Statements . . . . . . . . 29
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 2]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
1. Objectives
|
||
|
||
The problem of exchanging packet traces becomes more and more
|
||
critical every day; unfortunately, no standard solutions exist for
|
||
this task right now. One of the most accepted packet interchange
|
||
formats is the one defined by libpcap, which is rather old and does
|
||
not fit for some of the nowadays applications especially in terms of
|
||
extensibility.
|
||
|
||
This document proposes a new format for dumping packet traces. The
|
||
following goals are being pursued:
|
||
|
||
o Extensibility: aside of some common functionalities, third parties
|
||
should be able to enrich the information embedded in the file with
|
||
proprietary extensions, which will be ignored by tools that are
|
||
not able to understand them.
|
||
|
||
o Portability: a capture trace must contain all the information
|
||
needed to read data independently from network, hardware and
|
||
operating system of the machine that made the capture.
|
||
|
||
o Merge/Append data: it should be possible to add data at the end of
|
||
a given file, and the resulting file must still be readable.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 3]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
2. General File Structure
|
||
|
||
2.1 General Block Structure
|
||
|
||
A capture file is organized in blocks, that are appended one to
|
||
another to form the file. All the blocks share a common format, which
|
||
is shown in Figure 1.
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Block Type |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Block Total Length |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ Block Body /
|
||
/ /* variable length, aligned to 32 bits */ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Block Total Length |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 1: Basic block structure.
|
||
|
||
The fields have the following meaning:
|
||
|
||
o Block Type (32 bits): unique value that identifies the block.
|
||
Values whose Most Significant Bit (MSB) is equal to 1 are reserved
|
||
for local use. They allow to save private data to the file and to
|
||
extend the file format.
|
||
|
||
o Block Total Length: total size of this block, in bytes. For
|
||
instance, a block that does not have a body has a length of 12
|
||
bytes.
|
||
|
||
o Block Body: content of the block.
|
||
|
||
o Block Total Length: total size of this block, in bytes. This field
|
||
is duplicated for permitting backward file navigation.
|
||
|
||
This structure, shared among all blocks, makes easy to process a file
|
||
and to skip unneeded or unknown blocks. Blocks can be nested one
|
||
inside the others (NOTE: needed?). Some of the blocks are mandatory,
|
||
i.e. a dump file is not valid if they are not present, other are
|
||
optional.
|
||
|
||
The structure of the blocks allows to define other blocks if needed.
|
||
A parser that does non understand them can simply ignore their
|
||
content.
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 4]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
2.2 Block Types
|
||
|
||
The currently defined blocks are the following:
|
||
|
||
1. Section Header Block: it defines the most important
|
||
characteristics of the capture file.
|
||
|
||
2. Interface Description Block: it defines the most important
|
||
characteristics of the interface(s) used for capturing traffic.
|
||
|
||
3. Packet Block: it contains a single captured packet, or a portion
|
||
of it.
|
||
|
||
4. Simple Packet Block: it contains a single captured packet, or a
|
||
portion of it, with only a minimal set of information about it.
|
||
|
||
5. Name Resolution Block: it defines the mapping from numeric
|
||
addresses present in the packet dump and the canonical name
|
||
counterpart.
|
||
|
||
6. Capture Statistics Block: it defines how to store some
|
||
statistical data (e.g. packet dropped, etc) which can be useful
|
||
to undestand the conditions in which the capture has been made.
|
||
|
||
7. Compression Marker Block: TODO
|
||
|
||
8. Encryption Marker Block: TODO
|
||
|
||
9. Fixed Length Marker Block: TODO
|
||
|
||
The following blocks instead are considered interesting but the
|
||
authors believe that they deserve more in-depth discussion before
|
||
being defined:
|
||
|
||
1. Further Packet Blocks
|
||
|
||
2. Directory Block
|
||
|
||
3. Traffic Statistics and Monitoring Blocks
|
||
|
||
4. Alert and Security Blocks
|
||
|
||
TODO Currently standardized Block Type codes are specified in
|
||
Appendix 1.
|
||
|
||
2.3 Block Hierarchy and Precedence
|
||
|
||
The file must begin with a Section Header Block. However, more than
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 5]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
one Section Header Block can be present on the dump, each one
|
||
covering the data following it till the next one (or the end of
|
||
file). A Section includes the data delimited by two Section Header
|
||
Blocks (or by a Section Header Block and the end of the file),
|
||
including the first Section Header Block.
|
||
|
||
In case an application cannot read a Section because of different
|
||
version number, it must skip everything until the next Section Header
|
||
Block. Note that, in order to properly skip the blocks until the next
|
||
section, all blocks must have the fields Type and Length at the
|
||
beginning. This is a mandatory requirement that must be maintained in
|
||
future versions of the block format.
|
||
|
||
Figure 2 shows two valid files: the first has a typical
|
||
configuration, with a single Section Header that covers the whole
|
||
file. The second one contains three headers, and is normally the
|
||
result of file concatenation. An application that understands only
|
||
version 1.0 of the file format skips the intermediate section and
|
||
restart processing the packets after the third Section Header.
|
||
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| SHB v1.0 | Data |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
Typical configuration with a single Section Header Block
|
||
|
||
|
||
|-- 1st Section --|-- 2nd Section --|-- 3rd Section --|
|
||
| |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| SHB v1.0 | Data | SHB V1.1 | Data | SHB V1.0 | Data |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
Configuration with three different Section Header Blocks
|
||
|
||
Figure 2: File structure example: the Section Header Block.
|
||
|
||
NOTE: TO BE COMPLETED with some examples of other blocks
|
||
|
||
2.4 Data format
|
||
|
||
Data contained in each section will always be saved according to the
|
||
characteristics (little endian / big endian) of the dumping machine.
|
||
This refers to all fields that are saved as numbers and that span
|
||
over two or more bytes.
|
||
|
||
The approach of having each section saved in the native format of the
|
||
generating host is more efficient because it avoids translation of
|
||
data when reading / writing on the host itself, which is the most
|
||
common case when generating/processing capture dumps.
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 6]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
TODO Probably we have to specify something more here. Is what we're
|
||
saying enough to avoid any kind of ambiguity?.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 7]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
3. Block Definition
|
||
|
||
This section details the format of the body of the blocks currently
|
||
defined.
|
||
|
||
3.1 Section Header Block (mandatory)
|
||
|
||
The Section Header Block is mandatory. It identifies the beginning of
|
||
a section of the capture dump file. Its format is shown in Figure 3.
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Magic |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Major | Minor |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ /
|
||
/ Options (variable) /
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 3: Section Header Block format.
|
||
|
||
The meaning of the fields is:
|
||
|
||
o Magic: magic number, whose value is the hexadecimal number
|
||
0x1A2B3C4D. This number can be used to distinguish section that
|
||
have been saved on little-endian machines from the one saved on
|
||
big-endian machines.
|
||
|
||
o Major: number of the current mayor version of the format. Current
|
||
value is 1.
|
||
|
||
o Minor: number of the current minor version of the format. Current
|
||
value is 0.
|
||
|
||
o Options: optionally, a list of options (formatted according to the
|
||
rules defined in Section 4) can be present.
|
||
|
||
Aside form the options defined in Section 4, the following options
|
||
are valid within this block:
|
||
|
||
+----------------+----------------+----------------+----------------+
|
||
| Name | Code | Length | Description |
|
||
+----------------+----------------+----------------+----------------+
|
||
| Hardware | 2 | variable | An ascii |
|
||
| | | | string |
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 8]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
| | | | containing the |
|
||
| | | | description of |
|
||
| | | | the hardware |
|
||
| | | | used to create |
|
||
| | | | this section. |
|
||
| | | | |
|
||
| Operating | 3 | variable | An ascii |
|
||
| System | | | string |
|
||
| | | | containing the |
|
||
| | | | name of the |
|
||
| | | | operating |
|
||
| | | | system used to |
|
||
| | | | create this |
|
||
| | | | section. |
|
||
| | | | |
|
||
| User | 3 | variable | An ascii |
|
||
| Application | | | string |
|
||
| | | | containing the |
|
||
| | | | name of the |
|
||
| | | | application |
|
||
| | | | used to create |
|
||
| | | | this section. |
|
||
+----------------+----------------+----------------+----------------+
|
||
|
||
Table 1
|
||
|
||
The Section Header Block does not contain data but it rather
|
||
identifies a list of blocks (interfaces, packets) that are logically
|
||
correlated. This block does not contain any reference to the size of
|
||
the section it is currently delimiting, therefore the reader cannot
|
||
skip a whole section at once. In case a section must be skipped, the
|
||
user has to repeatedly skip all the blocks contained within it; this
|
||
makes the parsing of the file slower but it permits to append several
|
||
capture dumps at the same file.
|
||
|
||
3.2 Interface Description Block (mandatory)
|
||
|
||
The Interface Description Block is mandatory. This block is needed to
|
||
specify the characteristics of the network interface on which the
|
||
capture has been made. In order to properly associate the captured
|
||
data to the corresponding interface, the Interface Description Block
|
||
must be defined before any other block that uses it; therefore, this
|
||
block is usually placed immediately after the Section Header Block.
|
||
|
||
An Interface Description Block is valid only inside the section which
|
||
it belongs to. The structure of a Interface Description Block is
|
||
shown in Figure 4.
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 9]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Interface ID | LinkType |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| SnapLen |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ /
|
||
/ Options (variable) /
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 4: Interface Description Block format.
|
||
|
||
The meaning of the fields is:
|
||
|
||
o Interface ID: a progressive number that identifies uniquely any
|
||
interface inside current section. Two Interface Description Blocks
|
||
can have the same Interface ID only if they are in different
|
||
sections of the file. The Interface ID is referenced by the packet
|
||
blocks.
|
||
|
||
o LinkType: a value that defines the link layer type of this
|
||
interface.
|
||
|
||
o SnapLen: maximum number of bytes dumped from each packet. The
|
||
portion of each packet that exceeds this value will not be stored
|
||
in the file.
|
||
|
||
o Options: optionally, a list of options (formatted according to the
|
||
rules defined in Section 4) can be present.
|
||
|
||
In addition to the options defined in Section 4, the following
|
||
options are valid within this block:
|
||
|
||
+----------------+----------------+----------------+----------------+
|
||
| Name | Code | Length | Description |
|
||
+----------------+----------------+----------------+----------------+
|
||
| if_name | 2 | Variable | Name of the |
|
||
| | | | device used to |
|
||
| | | | capture data. |
|
||
| | | | |
|
||
| if_IPv4addr | 3 | 8 | Interface |
|
||
| | | | network |
|
||
| | | | address and |
|
||
| | | | netmask. |
|
||
| | | | |
|
||
| if_IPv6addr | 4 | 17 | Interface |
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 10]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
| | | | network |
|
||
| | | | address and |
|
||
| | | | prefix length |
|
||
| | | | (stored in the |
|
||
| | | | last byte). |
|
||
| | | | |
|
||
| if_MACaddr | 5 | 6 | Interface |
|
||
| | | | Hardware MAC |
|
||
| | | | address (48 |
|
||
| | | | bits). |
|
||
| | | | |
|
||
| if_EUIaddr | 6 | 8 | Interface |
|
||
| | | | Hardware EUI |
|
||
| | | | address (64 |
|
||
| | | | bits), if |
|
||
| | | | available. |
|
||
| | | | |
|
||
| if_speed | 7 | 8 | Interface |
|
||
| | | | speed (in |
|
||
| | | | bps). |
|
||
| | | | |
|
||
| if_tsaccur | 8 | 1 | Precision of |
|
||
| | | | timestamps. If |
|
||
| | | | the Most |
|
||
| | | | Significant |
|
||
| | | | Bit is equal |
|
||
| | | | to zero, the |
|
||
| | | | remaining bits |
|
||
| | | | indicates the |
|
||
| | | | accuracy as as |
|
||
| | | | a negative |
|
||
| | | | power of 10 |
|
||
| | | | (e.g. 6 means |
|
||
| | | | microsecond |
|
||
| | | | accuracy). If |
|
||
| | | | the Most |
|
||
| | | | Significant |
|
||
| | | | Bit is equal |
|
||
| | | | to zero, the |
|
||
| | | | remaining bits |
|
||
| | | | indicates the |
|
||
| | | | accuracy as as |
|
||
| | | | negative power |
|
||
| | | | of 2 (e.g. 10 |
|
||
| | | | means 1/1024 |
|
||
| | | | of second). If |
|
||
| | | | this option is |
|
||
| | | | not present, a |
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 11]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
| | | | precision of |
|
||
| | | | 10^-6 is |
|
||
| | | | assumed. |
|
||
| | | | |
|
||
| if_tzone | 9 | 4 | Time zone for |
|
||
| | | | GMT support |
|
||
| | | | (TODO: specify |
|
||
| | | | better). |
|
||
| | | | |
|
||
| if_flags | 10 | 4 | Interface |
|
||
| | | | flags. (TODO: |
|
||
| | | | specify |
|
||
| | | | better. |
|
||
| | | | Possible |
|
||
| | | | flags: |
|
||
| | | | promiscuous, |
|
||
| | | | inbound/outbou |
|
||
| | | | nd, traffic |
|
||
| | | | filtered |
|
||
| | | | during |
|
||
| | | | capture). |
|
||
| | | | |
|
||
| if_filter | 11 | variable | The filter |
|
||
| | | | (e.g. "capture |
|
||
| | | | only TCP |
|
||
| | | | traffic") used |
|
||
| | | | to capture |
|
||
| | | | traffic. The |
|
||
| | | | first byte of |
|
||
| | | | the Option |
|
||
| | | | Data keeps a |
|
||
| | | | code of the |
|
||
| | | | filter used |
|
||
| | | | (e.g. if this |
|
||
| | | | is a libpcap |
|
||
| | | | string, or BPF |
|
||
| | | | bytecode, and |
|
||
| | | | more). More |
|
||
| | | | details about |
|
||
| | | | this format |
|
||
| | | | will be |
|
||
| | | | presented in |
|
||
| | | | Appendix XXX |
|
||
| | | | (TODO). |
|
||
| | | | |
|
||
| if_opersystem | 12 | variable | An ascii |
|
||
| | | | string |
|
||
| | | | containing the |
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 12]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
| | | | name of the |
|
||
| | | | operating |
|
||
| | | | system of the |
|
||
| | | | machine that |
|
||
| | | | hosts this |
|
||
| | | | interface. |
|
||
| | | | This can be |
|
||
| | | | different from |
|
||
| | | | the same |
|
||
| | | | information |
|
||
| | | | that can be |
|
||
| | | | contained by |
|
||
| | | | the Section |
|
||
| | | | Header Block |
|
||
| | | | (Section 3.1) |
|
||
| | | | because the |
|
||
| | | | capture can |
|
||
| | | | have been done |
|
||
| | | | on a remote |
|
||
| | | | machine. |
|
||
+----------------+----------------+----------------+----------------+
|
||
|
||
Table 2
|
||
|
||
|
||
3.3 Packet Block (optional)
|
||
|
||
A Packet Block is the standard container for storing the packets
|
||
coming from the network. The Packet Block is optional because packets
|
||
can be stored either by means of this block or the Simple Packet
|
||
Block, which can be used to speed up dump generation. The format of a
|
||
packet block is shown in Figure 5.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 13]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Interface ID | Drops Count |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Timestamp (High) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Timestamp (Low) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Captured Len |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Packet Len |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| |
|
||
| Packet Data |
|
||
| |
|
||
| /* variable length, byte-aligned */ |
|
||
| |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ /
|
||
/ Options (variable) /
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 5: Packet Block format.
|
||
|
||
The Packet Block has the following fields:
|
||
|
||
o Interface ID: Specifies the interface this packet comes from, and
|
||
corresponds to the ID of one of the Interface Description Blocks
|
||
present in this section of the file (see Figure 4).
|
||
|
||
o Drops Count: a local drop counter. It specified the number of
|
||
packets lost (by the interface and the operating system) between
|
||
this packet and the preceding one. The value xFFFF (in
|
||
hexadecimal) is reserved for those systems in which this
|
||
information is not available.
|
||
|
||
o Timestamp (High): the most significative part of the timestamp. in
|
||
standard Unix format, i.e. from 1/1/1970.
|
||
|
||
o Timestamp (Low): the less significative part of the timestamp. The
|
||
way to interpret this field is specified by the 'ts_accur' option
|
||
(see Figure 4) of the Interface Description block referenced by
|
||
this packet. If the Interface Description block does not contain a
|
||
'ts_accur' option, then this field is expressed in microseconds.
|
||
|
||
o Captured Len: number of bytes captured from the packet (i.e. the
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 14]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
length of the Packet Data field). It will be the minimum value
|
||
among the actual Packet Length and the snapshot length (defined in
|
||
Figure 4).
|
||
|
||
o Packet Len: actual length of the packet when it was transmitted on
|
||
the network. Can be different from Captured Len if the user wants
|
||
only a snapshot of the packet.
|
||
|
||
o Packet Data: the data coming from the network, including
|
||
link-layer headers. The length of this field is Captured Len. The
|
||
format of the link-layer headers depends on the LinkType field
|
||
specified in the Interface Description Block (see Section 3.2) and
|
||
it is specified in Appendix XXX (TODO).
|
||
|
||
o Options: optionally, a list of options (formatted according to the
|
||
rules defined in Section 4) can be present.
|
||
|
||
|
||
3.4 Simple Packet Block (optional)
|
||
|
||
The Simple Packet Block is a lightweight container for storing the
|
||
packets coming from the network. Its presence is optional.
|
||
|
||
A Simple Packet Block is similar to a Packet Block (see Section 3.3),
|
||
but it is smaller, simpler to process and contains only a minimal set
|
||
of information. This block is preferred to the standard Packet Block
|
||
when performance or space occupation are critical factors, such as in
|
||
sustained traffic dump applications. A capture file can contain both
|
||
Packet Blocks and Simple Packet Blocks: for example, a capture tool
|
||
could switch from Packet Blocks to Simple Packet Blocks when the
|
||
hardware resources become critical.
|
||
|
||
The Simple Packet Block does not contain the Interface ID field.
|
||
Therefore, it must be assumed that all the Simple Packet Blocks have
|
||
been captured on the interface previously specified in the Interface
|
||
Description Block.
|
||
|
||
Figure 6 shows the format of the Simple Packet Block.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 15]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Packet Len |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| |
|
||
| Packet Data |
|
||
| |
|
||
| /* variable length, byte-aligned */ |
|
||
| |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 6: Simple Packet Block format.
|
||
|
||
The Packet Block has the following fields:
|
||
|
||
o Packet Len: actual length of the packet when it was transmitted on
|
||
the network. Can be different from captured len if the packet has
|
||
been truncated.
|
||
|
||
o Packet data: the data coming from the network, including
|
||
link-layers headers. The length of this field can be derived from
|
||
the field Block Total Length, present in the Block Header.
|
||
|
||
The Simple Packet Block does not contain the timestamp because this
|
||
is one of the most costly operations on PCs. Additionally, there are
|
||
applications that do not require it; e.g. an Intrusion Detection
|
||
System is interested in packets, not in their timestamp.
|
||
|
||
The Simple Packet Block is very efficient in term of disk space: a
|
||
snapshot of length 100 bytes requires only 16 bytes of overhead,
|
||
which corresponds to an efficiency of more than 86%.
|
||
|
||
3.5 Name Resolution Block (optional)
|
||
|
||
The Name Resolution Block is used to support the correlation of
|
||
numeric addresses (present in the captured packets) and their
|
||
corresponding canonical names and it is optional. Having the literal
|
||
names saved in the file, this prevents the need of a name resolution
|
||
in a delayed time, when the association between names and addresses
|
||
can be different from the one in use at capture time. Moreover, The
|
||
Name Resolution Block avoids the need of issuing a lot of DNS
|
||
requests every time the trace capture is opened, and allows to have
|
||
name resolution also when reading the capture with a machine not
|
||
connected to the network.
|
||
|
||
The format of the Name Resolution Block is shown in Figure 7.
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 16]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Record Type | Record Length |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Record Value |
|
||
| /* variable length, byte-aligned */ |
|
||
| + + + + + + + + + + + + + + + + + + + + + + + + +
|
||
| | | | |
|
||
+-+-+-+-+-+-+-+-+ + + + + + + + + + + + + + + + + + + + + + + + +
|
||
. . . other records . . .
|
||
| Record Type == end_of_recs | Record Length == 00 |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ /
|
||
/ Options (variable) /
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 7: Name Resolution Block format.
|
||
|
||
A Name Resolution Block is a zero-terminated list of records (in the
|
||
TLV format), each of which contains an association between a network
|
||
address and a name. There are three possible types of records:
|
||
|
||
+----------------+----------------+----------------+----------------+
|
||
| Name | Code | Length | Description |
|
||
+----------------+----------------+----------------+----------------+
|
||
| end_of_recs | 0 | 0 | End of records |
|
||
| | | | |
|
||
| ip4_rec | 1 | Variable | Specifies an |
|
||
| | | | IPv4 address |
|
||
| | | | (contained in |
|
||
| | | | the first 4 |
|
||
| | | | bytes), |
|
||
| | | | followed by |
|
||
| | | | one or more |
|
||
| | | | zero-terminate |
|
||
| | | | d strings |
|
||
| | | | containing the |
|
||
| | | | DNS entries |
|
||
| | | | for that |
|
||
| | | | address. |
|
||
| | | | |
|
||
| ip6_rec | 1 | Variable | Specifies an |
|
||
| | | | IPv6 address |
|
||
| | | | (contained in |
|
||
| | | | the first 16 |
|
||
| | | | bytes), |
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 17]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
| | | | followed by |
|
||
| | | | one or more |
|
||
| | | | zero-terminate |
|
||
| | | | d strings |
|
||
| | | | containing the |
|
||
| | | | DNS entries |
|
||
| | | | for that |
|
||
| | | | address. |
|
||
+----------------+----------------+----------------+----------------+
|
||
|
||
Table 3
|
||
|
||
After the list or Name Resolution Records, optionally, a list of
|
||
options (formatted according to the rules defined in Section 4) can
|
||
be present.
|
||
|
||
A Name Resolution Block is normally placed at the beginning of the
|
||
file, but no assumptions can be taken about its position. Name
|
||
Resolution Blocks can be added in a second time by tools that process
|
||
the file, like network analyzers.
|
||
|
||
In addiction to the options defined in Section 4, the following
|
||
options are valid within this block:
|
||
|
||
+----------------+----------------+----------------+----------------+
|
||
| Name | Code | Length | Description |
|
||
+----------------+----------------+----------------+----------------+
|
||
| ns_dnsname | 2 | Variable | An ascii |
|
||
| | | | string |
|
||
| | | | containing the |
|
||
| | | | name of the |
|
||
| | | | machine (DNS |
|
||
| | | | server) used |
|
||
| | | | to perform the |
|
||
| | | | name |
|
||
| | | | resolution. |
|
||
+----------------+----------------+----------------+----------------+
|
||
|
||
|
||
3.6 Interface Statistics Block (optional)
|
||
|
||
The Interface Statistics Block contains the capture statistics for a
|
||
given interface and it is optional. The statistics are referred to
|
||
the interface defined in the current Section identified by the
|
||
Interface ID field.
|
||
|
||
The format of the Interface Statistics Block is shown in Figure 8.
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 18]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| IfRecv |
|
||
| (high + low) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| IfDrop |
|
||
| (high + low) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| FilterAccept |
|
||
| (high + low) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| OSDrop |
|
||
| (high + low) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| UsrDelivered |
|
||
| (high + low) |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Interface ID | Reserved |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ /
|
||
/ Options (variable) /
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 8: Interface Statistics Block format.
|
||
|
||
The fields have the following meaning:
|
||
|
||
o IfRecv: number of packets received from the interface during the
|
||
capture. This number is reported as a 64 bits value, in which the
|
||
most significat bits are located in the first four bytes of the
|
||
field.
|
||
|
||
o IfDrop: number of packets dropped by the interface during the
|
||
capture due to lack of resources.
|
||
|
||
o FilterAccept: number of packets accepeted by filter during current
|
||
capture.
|
||
|
||
o OSDrop: number of packets dropped by the operating system during
|
||
the capture.
|
||
|
||
o UsrDelivered: number of packets delivered to the user.
|
||
UsrDelivered can be different from the value 'FilterAccept -
|
||
OSDropped' because some packets could still lay in the OS buffers
|
||
when the capture ended.
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 19]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
o Interface ID: reference to an Interface Description Block.
|
||
|
||
o Reserved: Reserved to future use.
|
||
|
||
o Options: optionally, a list of options (formatted according to the
|
||
rules defined in Section 4) can be present.
|
||
|
||
In addiction to the options defined in Section 4, the following
|
||
options are valid within this block:
|
||
|
||
+----------------+----------------+----------------+----------------+
|
||
| Name | Code | Length | Description |
|
||
+----------------+----------------+----------------+----------------+
|
||
| isb_starttime | 2 | 8 | Time in which |
|
||
| | | | the capture |
|
||
| | | | started; time |
|
||
| | | | will be stored |
|
||
| | | | in two blocks |
|
||
| | | | of four bytes |
|
||
| | | | each, |
|
||
| | | | containing the |
|
||
| | | | timestamp in |
|
||
| | | | seconds and |
|
||
| | | | nanoseconds. |
|
||
| | | | |
|
||
| isb_endtime | 3 | 8 | Time in which |
|
||
| | | | the capture |
|
||
| | | | started; time |
|
||
| | | | will be stored |
|
||
| | | | in two blocks |
|
||
| | | | of four bytes |
|
||
| | | | each, |
|
||
| | | | containing the |
|
||
| | | | timestamp in |
|
||
| | | | seconds and |
|
||
| | | | nanoseconds. |
|
||
+----------------+----------------+----------------+----------------+
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 20]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
4. Options
|
||
|
||
Almost all blocks have the possibility to embed optional fields.
|
||
Optional fields can be used to insert some information that may be
|
||
useful when reading data, but that it is not really needed for packet
|
||
processing. Therefore, each tool can be either read the content of
|
||
the optional fields (if any), or skip them at once.
|
||
|
||
Skipping all the optional fields at once is straightforward because
|
||
most of the blocks have a fixed length, therefore the field Block
|
||
Length (present in the General Block Structure, see Section 2.1) can
|
||
be used to skip everything till the next block.
|
||
|
||
Options are a list of Type - Length - Value fields, each one
|
||
containing a single value:
|
||
|
||
o Option Type (2 bytes): it contains the code that specifies the
|
||
type of the current TLV record. Option types whose Most
|
||
Significant Bit is equal to one are reserved for local use;
|
||
therefore, there is no guarantee that the code used is unique
|
||
among all capture files (generated by other applications). In case
|
||
of vendor-specific extensions that have to be identified uniquely,
|
||
vendors must request an Option Code whose MSB is equal to zero.
|
||
|
||
o Option Length (2 bytes): it contains the length of the following
|
||
'Option Value' field.
|
||
|
||
o Option Value (variable length): it contains the value of the given
|
||
option. The length of this field as been specified by the Option
|
||
Length field.
|
||
|
||
Options may be repeated several times (e.g. an interface that has
|
||
several IP addresses associated to it). The option list is terminated
|
||
by a special code which is the 'End of Option'.
|
||
|
||
The format of the optional fields is shown in Figure 9.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 21]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Option Code | Option Length |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Option Value |
|
||
| /* variable length, byte-aligned */ |
|
||
| + + + + + + + + + + + + + + + + + + + + + + + + +
|
||
| / / / |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
/ /
|
||
/ . . . other options . . . /
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Option Code == opt_endofopt | Option Length == 0 |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 9: Options format.
|
||
|
||
The following codes can always be present in any optional field:
|
||
|
||
+----------------+----------------+----------------+----------------+
|
||
| Name | Code | Length | Description |
|
||
+----------------+----------------+----------------+----------------+
|
||
| opt_endofopt | 0 | 0 | End of |
|
||
| | | | options: it is |
|
||
| | | | used to |
|
||
| | | | delimit the |
|
||
| | | | end of the |
|
||
| | | | optional |
|
||
| | | | fields. This |
|
||
| | | | block cannot |
|
||
| | | | be repeated |
|
||
| | | | within a given |
|
||
| | | | list of |
|
||
| | | | options. |
|
||
| | | | |
|
||
| opt_comment | 1 | variable | Comment: it is |
|
||
| | | | an ascii |
|
||
| | | | string |
|
||
| | | | containing a |
|
||
| | | | comment that |
|
||
| | | | is associated |
|
||
| | | | to the current |
|
||
| | | | block. |
|
||
+----------------+----------------+----------------+----------------+
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 22]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
5. Experimental Blocks (deserved to a further investigation)
|
||
|
||
5.1 Other Packet Blocks (experimental)
|
||
|
||
Can some other packet blocks (besides the two described in the
|
||
previous paragraphs) be useful?
|
||
|
||
5.2 Compression Block (experimental)
|
||
|
||
The Compression Block is optional. A file can contain an arbitrary
|
||
number of these blocks. A Compression Block, as the name says, is
|
||
used to store compressed data. Its format is shown in Figure 10.
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Compr. Type | |
|
||
+-+-+-+-+-+-+-+-+ |
|
||
| |
|
||
| Compressed Data |
|
||
| |
|
||
| /* variable length, byte-aligned */ |
|
||
| |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 10: Compression Block format.
|
||
|
||
The fields have the following meaning:
|
||
|
||
o Compression Type: specifies the compression algorithm. Possible
|
||
values for this field are 0 (uncompressed), 1 (Lempel Ziv), 2
|
||
(Gzip), other?? Probably some kind of dumb and fast compression
|
||
algorithm could be effective with some types of traffic (for
|
||
example web), but which?
|
||
|
||
o Compressed Data: data of this block. Once decompressed, it is made
|
||
of other blocks.
|
||
|
||
|
||
5.3 Encryption Block (experimental)
|
||
|
||
The Encryption Block is optional. A file can contain an arbitrary
|
||
number of these blocks. An Encryption Block is used to sotre
|
||
encrypted data. Its format is shown in Figure 11.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 23]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Encr. Type | |
|
||
+-+-+-+-+-+-+-+-+ |
|
||
| |
|
||
| Compressed Data |
|
||
| |
|
||
| /* variable length, byte-aligned */ |
|
||
| |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 11: Encryption Block format.
|
||
|
||
The fields have the following meaning:
|
||
|
||
o Compression Type: specifies the encryption algorithm. Possible
|
||
values for this field are ??? NOTE: this block should probably
|
||
contain other fields, depending on the encryption algorithm. To be
|
||
define precisely.
|
||
|
||
o Encrypted Data: data of this block. Once decripted, it consists of
|
||
other blocks.
|
||
|
||
|
||
5.4 Fixed Length Block (experimental)
|
||
|
||
The Fixed Length Block is optional. A file can contain an arbitrary
|
||
number of these blocks. A Fixed Length Block can be used to optimize
|
||
the access to the file. Its format is shown in Figure 12. A Fixed
|
||
Length Block stores records with constant size. It contains a set of
|
||
Blocks (normally Packet Blocks or Simple Packet Blocks), of wihich it
|
||
specifies the size. Knowing this size a priori helps to scan the file
|
||
and to load some portions of it without truncating a block, and is
|
||
particularly useful with cell-based networks like ATM.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 24]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
0 1 2 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| Cell Size | |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|
||
| |
|
||
| Fixed Size Data |
|
||
| |
|
||
| /* variable length, byte-aligned */ |
|
||
| |
|
||
| |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
Figure 12: Fixed Length Block format.
|
||
|
||
The fields have the following meaning:
|
||
|
||
o Cell size: the size of the blocks contained in the data field.
|
||
|
||
o Fixed Size Data: data of this block.
|
||
|
||
|
||
5.5 Directory Block (experimental)
|
||
|
||
If present, this block contains the following information:
|
||
|
||
o number of indexed packets (N)
|
||
|
||
o table with position and length of any indexed packet (N entries)
|
||
|
||
A directory block must be followed by at least N packets, otherwise
|
||
it must be considered invalid. It can be used to efficiently load
|
||
portions of the file to memory and to support operations on memory
|
||
mapped files. This block can be added by tools like network analyzers
|
||
as a consequence of file processing.
|
||
|
||
5.6 Traffic Statistics and Monitoring Blocks (experimental)
|
||
|
||
One or more blocks could be defined to contain network statistics or
|
||
traffic monitoring information. They could be use to store data
|
||
collected from RMON or Netflow probes, or from other network
|
||
monitoring tools.
|
||
|
||
5.7 Event/Security Block (experimental)
|
||
|
||
This block could be used to store events. Events could contain
|
||
generic information (for example network load over 50%, server
|
||
down...) or security alerts. An event could be:
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 25]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
o skipped, if the application doesn't know how to do with it
|
||
|
||
o processed independently by the packets. In other words, the
|
||
applications skips the packets and processes only the alerts
|
||
|
||
o processed in relation to packets: for example, a security tool
|
||
could load only the packets of the file that are near a security
|
||
alert; a monitorg tool could skip the packets captured while the
|
||
server was down.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 26]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
6. Conclusions
|
||
|
||
The file format proposed in this document should be very versatile
|
||
and satisfy a wide range of applications. In the simplest case, it
|
||
can contain a raw dump of the network data, made of a series of
|
||
Simple Packet Blocks. In the most complex case, it can be used as a
|
||
repository for heterogeneous information. In every case, the file
|
||
remains easy to parse and an application can always skip the data it
|
||
is not interested in; at the same time, different applications can
|
||
share the file, and each of them can benfit of the information
|
||
produced by the others. Two or more files can be concatenated
|
||
obtaining another valid file.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 27]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
7. Most important open issues
|
||
|
||
o Data, in the file, must be byte or word aligned? Currently, the
|
||
structure of this document is not consistent with respect to this
|
||
point.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 28]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
Intellectual Property Statement
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
intellectual property or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; neither does it represent that it
|
||
has made any effort to identify any such rights. Information on the
|
||
IETF's procedures with respect to rights in standards-track and
|
||
standards-related documentation can be found in BCP-11. Copies of
|
||
claims of rights made available for publication and any assurances of
|
||
licenses to be made available, or the result of an attempt made to
|
||
obtain a general license or permission for the use of such
|
||
proprietary rights by implementors or users of this specification can
|
||
be obtained from the IETF Secretariat.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights which may cover technology that may be required to practice
|
||
this standard. Please address the information to the IETF Executive
|
||
Director.
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assignees.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 29]
|
||
|
||
Internet-Draft PCAP New Generation Dump File Format March 2004
|
||
|
||
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
Acknowledgment
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Degioanni & Risso Expires August 30, 2004 [Page 30]
|
||
|