Google Git
Sign in
ara-mdk / platform / external / libpcap / d35f964735cf0ca2ed9dc98ee6c1efa303c0c598 / . / doc / pcap.txt
blob: cfa6645fc24fe6dfe420a48a7fada72bfa4f4a6b [file] [log] [blame]
Network Working Group L. Degioanni
Internet-Draft F. Risso
Expires: August 30, 2004 Politecnico di Torino
March 2004
PCAP New Generation Dump File Format
pcap
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 30, 2004.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document describes a format to dump captured packets on a file.
This format is extensible and it is currently proposed for
implementation in the libpcap/WinPcap packet capture library.
Degioanni & Risso Expires August 30, 2004 [Page 1]
Internet-Draft PCAP New Generation Dump File Format March 2004
Table of Contents
1. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. General File Structure . . . . . . . . . . . . . . . . . . . . 4
2.1 General Block Structure . . . . . . . . . . . . . . . . . . . 4
2.2 Block Types . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Block Hierarchy and Precedence . . . . . . . . . . . . . . . . 5
2.4 Data format . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Block Definition . . . . . . . . . . . . . . . . . . . . . . . 8
3.1 Section Header Block (mandatory) . . . . . . . . . . . . . . . 8
3.2 Interface Description Block (mandatory) . . . . . . . . . . . 9
3.3 Packet Block (optional) . . . . . . . . . . . . . . . . . . . 13
3.4 Simple Packet Block (optional) . . . . . . . . . . . . . . . . 15
3.5 Name Resolution Block (optional) . . . . . . . . . . . . . . . 16
3.6 Interface Statistics Block (optional) . . . . . . . . . . . . 18
4. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5. Experimental Blocks (deserved to a further investigation) . . 23
5.1 Other Packet Blocks (experimental) . . . . . . . . . . . . . . 23
5.2 Compression Block (experimental) . . . . . . . . . . . . . . . 23
5.3 Encryption Block (experimental) . . . . . . . . . . . . . . . 23
5.4 Fixed Length Block (experimental) . . . . . . . . . . . . . . 24
5.5 Directory Block (experimental) . . . . . . . . . . . . . . . . 25
5.6 Traffic Statistics and Monitoring Blocks (experimental) . . . 25
5.7 Event/Security Block (experimental) . . . . . . . . . . . . . 25
6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 27
7. Most important open issues . . . . . . . . . . . . . . . . . . 28
Intellectual Property and Copyright Statements . . . . . . . . 29
Degioanni & Risso Expires August 30, 2004 [Page 2]
Internet-Draft PCAP New Generation Dump File Format March 2004
1. Objectives
The problem of exchanging packet traces becomes more and more
critical every day; unfortunately, no standard solutions exist for
this task right now. One of the most accepted packet interchange
formats is the one defined by libpcap, which is rather old and does
not fit for some of the nowadays applications especially in terms of
extensibility.
This document proposes a new format for dumping packet traces. The
following goals are being pursued:
o Extensibility: aside of some common functionalities, third parties
should be able to enrich the information embedded in the file with
proprietary extensions, which will be ignored by tools that are
not able to understand them.
o Portability: a capture trace must contain all the information
needed to read data independently from network, hardware and
operating system of the machine that made the capture.
o Merge/Append data: it should be possible to add data at the end of
a given file, and the resulting file must still be readable.
Degioanni & Risso Expires August 30, 2004 [Page 3]
Internet-Draft PCAP New Generation Dump File Format March 2004
2. General File Structure
2.1 General Block Structure
A capture file is organized in blocks, that are appended one to
another to form the file. All the blocks share a common format, which
is shown in Figure 1.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Block Body /
/ /* variable length, aligned to 32 bits */ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Basic block structure.
The fields have the following meaning:
o Block Type (32 bits): unique value that identifies the block.
Values whose Most Significant Bit (MSB) is equal to 1 are reserved
for local use. They allow to save private data to the file and to
extend the file format.
o Block Total Length: total size of this block, in bytes. For
instance, a block that does not have a body has a length of 12
bytes.
o Block Body: content of the block.
o Block Total Length: total size of this block, in bytes. This field
is duplicated for permitting backward file navigation.
This structure, shared among all blocks, makes easy to process a file
and to skip unneeded or unknown blocks. Blocks can be nested one
inside the others (NOTE: needed?). Some of the blocks are mandatory,
i.e. a dump file is not valid if they are not present, other are
optional.
The structure of the blocks allows to define other blocks if needed.
A parser that does non understand them can simply ignore their
content.
Degioanni & Risso Expires August 30, 2004 [Page 4]
Internet-Draft PCAP New Generation Dump File Format March 2004
2.2 Block Types
The currently defined blocks are the following:
1. Section Header Block: it defines the most important
characteristics of the capture file.
2. Interface Description Block: it defines the most important
characteristics of the interface(s) used for capturing traffic.
3. Packet Block: it contains a single captured packet, or a portion
of it.
4. Simple Packet Block: it contains a single captured packet, or a
portion of it, with only a minimal set of information about it.
5. Name Resolution Block: it defines the mapping from numeric
addresses present in the packet dump and the canonical name
counterpart.
6. Capture Statistics Block: it defines how to store some
statistical data (e.g. packet dropped, etc) which can be useful
to undestand the conditions in which the capture has been made.
7. Compression Marker Block: TODO
8. Encryption Marker Block: TODO
9. Fixed Length Marker Block: TODO
The following blocks instead are considered interesting but the
authors believe that they deserve more in-depth discussion before
being defined:
1. Further Packet Blocks
2. Directory Block
3. Traffic Statistics and Monitoring Blocks
4. Alert and Security Blocks
TODO Currently standardized Block Type codes are specified in
Appendix 1.
2.3 Block Hierarchy and Precedence
The file must begin with a Section Header Block. However, more than
Degioanni & Risso Expires August 30, 2004 [Page 5]
Internet-Draft PCAP New Generation Dump File Format March 2004
one Section Header Block can be present on the dump, each one
covering the data following it till the next one (or the end of
file). A Section includes the data delimited by two Section Header
Blocks (or by a Section Header Block and the end of the file),
including the first Section Header Block.
In case an application cannot read a Section because of different
version number, it must skip everything until the next Section Header
Block. Note that, in order to properly skip the blocks until the next
section, all blocks must have the fields Type and Length at the
beginning. This is a mandatory requirement that must be maintained in
future versions of the block format.
Figure 2 shows two valid files: the first has a typical
configuration, with a single Section Header that covers the whole
file. The second one contains three headers, and is normally the
result of file concatenation. An application that understands only
version 1.0 of the file format skips the intermediate section and
restart processing the packets after the third Section Header.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SHB v1.0 | Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Typical configuration with a single Section Header Block
|-- 1st Section --|-- 2nd Section --|-- 3rd Section --|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SHB v1.0 | Data | SHB V1.1 | Data | SHB V1.0 | Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Configuration with three different Section Header Blocks
Figure 2: File structure example: the Section Header Block.
NOTE: TO BE COMPLETED with some examples of other blocks
2.4 Data format
Data contained in each section will always be saved according to the
characteristics (little endian / big endian) of the dumping machine.
This refers to all fields that are saved as numbers and that span
over two or more bytes.
The approach of having each section saved in the native format of the
generating host is more efficient because it avoids translation of
data when reading / writing on the host itself, which is the most
common case when generating/processing capture dumps.
Degioanni & Risso Expires August 30, 2004 [Page 6]
Internet-Draft PCAP New Generation Dump File Format March 2004
TODO Probably we have to specify something more here. Is what we're
saying enough to avoid any kind of ambiguity?.
Degioanni & Risso Expires August 30, 2004 [Page 7]
Internet-Draft PCAP New Generation Dump File Format March 2004
3. Block Definition
This section details the format of the body of the blocks currently
defined.
3.1 Section Header Block (mandatory)
The Section Header Block is mandatory. It identifies the beginning of
a section of the capture dump file. Its format is shown in Figure 3.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Magic |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Major | Minor |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Options (variable) /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Section Header Block format.
The meaning of the fields is:
o Magic: magic number, whose value is the hexadecimal number
0x1A2B3C4D. This number can be used to distinguish section that
have been saved on little-endian machines from the one saved on
big-endian machines.
o Major: number of the current mayor version of the format. Current
value is 1.
o Minor: number of the current minor version of the format. Current
value is 0.
o Options: optionally, a list of options (formatted according to the
rules defined in Section 4) can be present.
Aside form the options defined in Section 4, the following options
are valid within this block:
+----------------+----------------+----------------+----------------+
| Name | Code | Length | Description |
+----------------+----------------+----------------+----------------+
| Hardware | 2 | variable | An ascii |
| | | | string |
Degioanni & Risso Expires August 30, 2004 [Page 8]
Internet-Draft PCAP New Generation Dump File Format March 2004
| | | | containing the |
| | | | description of |
| | | | the hardware |
| | | | used to create |
| | | | this section. |
| | | | |
| Operating | 3 | variable | An ascii |
| System | | | string |
| | | | containing the |
| | | | name of the |
| | | | operating |
| | | | system used to |
| | | | create this |
| | | | section. |
| | | | |
| User | 3 | variable | An ascii |
| Application | | | string |
| | | | containing the |
| | | | name of the |
| | | | application |
| | | | used to create |
| | | | this section. |
+----------------+----------------+----------------+----------------+
Table 1
The Section Header Block does not contain data but it rather
identifies a list of blocks (interfaces, packets) that are logically
correlated. This block does not contain any reference to the size of
the section it is currently delimiting, therefore the reader cannot
skip a whole section at once. In case a section must be skipped, the
user has to repeatedly skip all the blocks contained within it; this
makes the parsing of the file slower but it permits to append several
capture dumps at the same file.
3.2 Interface Description Block (mandatory)
The Interface Description Block is mandatory. This block is needed to
specify the characteristics of the network interface on which the
capture has been made. In order to properly associate the captured
data to the corresponding interface, the Interface Description Block
must be defined before any other block that uses it; therefore, this
block is usually placed immediately after the Section Header Block.
An Interface Description Block is valid only inside the section which
it belongs to. The structure of a Interface Description Block is
shown in Figure 4.
Degioanni & Risso Expires August 30, 2004 [Page 9]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Interface ID | LinkType |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SnapLen |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Options (variable) /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Interface Description Block format.
The meaning of the fields is:
o Interface ID: a progressive number that identifies uniquely any
interface inside current section. Two Interface Description Blocks
can have the same Interface ID only if they are in different
sections of the file. The Interface ID is referenced by the packet
blocks.
o LinkType: a value that defines the link layer type of this
interface.
o SnapLen: maximum number of bytes dumped from each packet. The
portion of each packet that exceeds this value will not be stored
in the file.
o Options: optionally, a list of options (formatted according to the
rules defined in Section 4) can be present.
In addition to the options defined in Section 4, the following
options are valid within this block:
+----------------+----------------+----------------+----------------+
| Name | Code | Length | Description |
+----------------+----------------+----------------+----------------+
| if_name | 2 | Variable | Name of the |
| | | | device used to |
| | | | capture data. |
| | | | |
| if_IPv4addr | 3 | 8 | Interface |
| | | | network |
| | | | address and |
| | | | netmask. |
| | | | |
| if_IPv6addr | 4 | 17 | Interface |
Degioanni & Risso Expires August 30, 2004 [Page 10]
Internet-Draft PCAP New Generation Dump File Format March 2004
| | | | network |
| | | | address and |
| | | | prefix length |
| | | | (stored in the |
| | | | last byte). |
| | | | |
| if_MACaddr | 5 | 6 | Interface |
| | | | Hardware MAC |
| | | | address (48 |
| | | | bits). |
| | | | |
| if_EUIaddr | 6 | 8 | Interface |
| | | | Hardware EUI |
| | | | address (64 |
| | | | bits), if |
| | | | available. |
| | | | |
| if_speed | 7 | 8 | Interface |
| | | | speed (in |
| | | | bps). |
| | | | |
| if_tsaccur | 8 | 1 | Precision of |
| | | | timestamps. If |
| | | | the Most |
| | | | Significant |
| | | | Bit is equal |
| | | | to zero, the |
| | | | remaining bits |
| | | | indicates the |
| | | | accuracy as as |
| | | | a negative |
| | | | power of 10 |
| | | | (e.g. 6 means |
| | | | microsecond |
| | | | accuracy). If |
| | | | the Most |
| | | | Significant |
| | | | Bit is equal |
| | | | to zero, the |
| | | | remaining bits |
| | | | indicates the |
| | | | accuracy as as |
| | | | negative power |
| | | | of 2 (e.g. 10 |
| | | | means 1/1024 |
| | | | of second). If |
| | | | this option is |
| | | | not present, a |
Degioanni & Risso Expires August 30, 2004 [Page 11]
Internet-Draft PCAP New Generation Dump File Format March 2004
| | | | precision of |
| | | | 10^-6 is |
| | | | assumed. |
| | | | |
| if_tzone | 9 | 4 | Time zone for |
| | | | GMT support |
| | | | (TODO: specify |
| | | | better). |
| | | | |
| if_flags | 10 | 4 | Interface |
| | | | flags. (TODO: |
| | | | specify |
| | | | better. |
| | | | Possible |
| | | | flags: |
| | | | promiscuous, |
| | | | inbound/outbou |
| | | | nd, traffic |
| | | | filtered |
| | | | during |
| | | | capture). |
| | | | |
| if_filter | 11 | variable | The filter |
| | | | (e.g. "capture |
| | | | only TCP |
| | | | traffic") used |
| | | | to capture |
| | | | traffic. The |
| | | | first byte of |
| | | | the Option |
| | | | Data keeps a |
| | | | code of the |
| | | | filter used |
| | | | (e.g. if this |
| | | | is a libpcap |
| | | | string, or BPF |
| | | | bytecode, and |
| | | | more). More |
| | | | details about |
| | | | this format |
| | | | will be |
| | | | presented in |
| | | | Appendix XXX |
| | | | (TODO). |
| | | | |
| if_opersystem | 12 | variable | An ascii |
| | | | string |
| | | | containing the |
Degioanni & Risso Expires August 30, 2004 [Page 12]
Internet-Draft PCAP New Generation Dump File Format March 2004
| | | | name of the |
| | | | operating |
| | | | system of the |
| | | | machine that |
| | | | hosts this |
| | | | interface. |
| | | | This can be |
| | | | different from |
| | | | the same |
| | | | information |
| | | | that can be |
| | | | contained by |
| | | | the Section |
| | | | Header Block |
| | | | (Section 3.1) |
| | | | because the |
| | | | capture can |
| | | | have been done |
| | | | on a remote |
| | | | machine. |
+----------------+----------------+----------------+----------------+
Table 2
3.3 Packet Block (optional)
A Packet Block is the standard container for storing the packets
coming from the network. The Packet Block is optional because packets
can be stored either by means of this block or the Simple Packet
Block, which can be used to speed up dump generation. The format of a
packet block is shown in Figure 5.
Degioanni & Risso Expires August 30, 2004 [Page 13]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Interface ID | Drops Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp (High) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp (Low) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Captured Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Packet Data |
| |
| /* variable length, byte-aligned */ |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Options (variable) /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Packet Block format.
The Packet Block has the following fields:
o Interface ID: Specifies the interface this packet comes from, and
corresponds to the ID of one of the Interface Description Blocks
present in this section of the file (see Figure 4).
o Drops Count: a local drop counter. It specified the number of
packets lost (by the interface and the operating system) between
this packet and the preceding one. The value xFFFF (in
hexadecimal) is reserved for those systems in which this
information is not available.
o Timestamp (High): the most significative part of the timestamp. in
standard Unix format, i.e. from 1/1/1970.
o Timestamp (Low): the less significative part of the timestamp. The
way to interpret this field is specified by the 'ts_accur' option
(see Figure 4) of the Interface Description block referenced by
this packet. If the Interface Description block does not contain a
'ts_accur' option, then this field is expressed in microseconds.
o Captured Len: number of bytes captured from the packet (i.e. the
Degioanni & Risso Expires August 30, 2004 [Page 14]
Internet-Draft PCAP New Generation Dump File Format March 2004
length of the Packet Data field). It will be the minimum value
among the actual Packet Length and the snapshot length (defined in
Figure 4).
o Packet Len: actual length of the packet when it was transmitted on
the network. Can be different from Captured Len if the user wants
only a snapshot of the packet.
o Packet Data: the data coming from the network, including
link-layer headers. The length of this field is Captured Len. The
format of the link-layer headers depends on the LinkType field
specified in the Interface Description Block (see Section 3.2) and
it is specified in Appendix XXX (TODO).
o Options: optionally, a list of options (formatted according to the
rules defined in Section 4) can be present.
3.4 Simple Packet Block (optional)
The Simple Packet Block is a lightweight container for storing the
packets coming from the network. Its presence is optional.
A Simple Packet Block is similar to a Packet Block (see Section 3.3),
but it is smaller, simpler to process and contains only a minimal set
of information. This block is preferred to the standard Packet Block
when performance or space occupation are critical factors, such as in
sustained traffic dump applications. A capture file can contain both
Packet Blocks and Simple Packet Blocks: for example, a capture tool
could switch from Packet Blocks to Simple Packet Blocks when the
hardware resources become critical.
The Simple Packet Block does not contain the Interface ID field.
Therefore, it must be assumed that all the Simple Packet Blocks have
been captured on the interface previously specified in the Interface
Description Block.
Figure 6 shows the format of the Simple Packet Block.
Degioanni & Risso Expires August 30, 2004 [Page 15]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Packet Data |
| |
| /* variable length, byte-aligned */ |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Simple Packet Block format.
The Packet Block has the following fields:
o Packet Len: actual length of the packet when it was transmitted on
the network. Can be different from captured len if the packet has
been truncated.
o Packet data: the data coming from the network, including
link-layers headers. The length of this field can be derived from
the field Block Total Length, present in the Block Header.
The Simple Packet Block does not contain the timestamp because this
is one of the most costly operations on PCs. Additionally, there are
applications that do not require it; e.g. an Intrusion Detection
System is interested in packets, not in their timestamp.
The Simple Packet Block is very efficient in term of disk space: a
snapshot of length 100 bytes requires only 16 bytes of overhead,
which corresponds to an efficiency of more than 86%.
3.5 Name Resolution Block (optional)
The Name Resolution Block is used to support the correlation of
numeric addresses (present in the captured packets) and their
corresponding canonical names and it is optional. Having the literal
names saved in the file, this prevents the need of a name resolution
in a delayed time, when the association between names and addresses
can be different from the one in use at capture time. Moreover, The
Name Resolution Block avoids the need of issuing a lot of DNS
requests every time the trace capture is opened, and allows to have
name resolution also when reading the capture with a machine not
connected to the network.
The format of the Name Resolution Block is shown in Figure 7.
Degioanni & Risso Expires August 30, 2004 [Page 16]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record Type | Record Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Record Value |
| /* variable length, byte-aligned */ |
| + + + + + + + + + + + + + + + + + + + + + + + + +
| | | | |
+-+-+-+-+-+-+-+-+ + + + + + + + + + + + + + + + + + + + + + + + +
. . . other records . . .
| Record Type == end_of_recs | Record Length == 00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Options (variable) /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: Name Resolution Block format.
A Name Resolution Block is a zero-terminated list of records (in the
TLV format), each of which contains an association between a network
address and a name. There are three possible types of records:
+----------------+----------------+----------------+----------------+
| Name | Code | Length | Description |
+----------------+----------------+----------------+----------------+
| end_of_recs | 0 | 0 | End of records |
| | | | |
| ip4_rec | 1 | Variable | Specifies an |
| | | | IPv4 address |
| | | | (contained in |
| | | | the first 4 |
| | | | bytes), |
| | | | followed by |
| | | | one or more |
| | | | zero-terminate |
| | | | d strings |
| | | | containing the |
| | | | DNS entries |
| | | | for that |
| | | | address. |
| | | | |
| ip6_rec | 1 | Variable | Specifies an |
| | | | IPv6 address |
| | | | (contained in |
| | | | the first 16 |
| | | | bytes), |
Degioanni & Risso Expires August 30, 2004 [Page 17]
Internet-Draft PCAP New Generation Dump File Format March 2004
| | | | followed by |
| | | | one or more |
| | | | zero-terminate |
| | | | d strings |
| | | | containing the |
| | | | DNS entries |
| | | | for that |
| | | | address. |
+----------------+----------------+----------------+----------------+
Table 3
After the list or Name Resolution Records, optionally, a list of
options (formatted according to the rules defined in Section 4) can
be present.
A Name Resolution Block is normally placed at the beginning of the
file, but no assumptions can be taken about its position. Name
Resolution Blocks can be added in a second time by tools that process
the file, like network analyzers.
In addiction to the options defined in Section 4, the following
options are valid within this block:
+----------------+----------------+----------------+----------------+
| Name | Code | Length | Description |
+----------------+----------------+----------------+----------------+
| ns_dnsname | 2 | Variable | An ascii |
| | | | string |
| | | | containing the |
| | | | name of the |
| | | | machine (DNS |
| | | | server) used |
| | | | to perform the |
| | | | name |
| | | | resolution. |
+----------------+----------------+----------------+----------------+
3.6 Interface Statistics Block (optional)
The Interface Statistics Block contains the capture statistics for a
given interface and it is optional. The statistics are referred to
the interface defined in the current Section identified by the
Interface ID field.
The format of the Interface Statistics Block is shown in Figure 8.
Degioanni & Risso Expires August 30, 2004 [Page 18]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IfRecv |
| (high + low) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IfDrop |
| (high + low) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FilterAccept |
| (high + low) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OSDrop |
| (high + low) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UsrDelivered |
| (high + low) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Interface ID | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Options (variable) /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: Interface Statistics Block format.
The fields have the following meaning:
o IfRecv: number of packets received from the interface during the
capture. This number is reported as a 64 bits value, in which the
most significat bits are located in the first four bytes of the
field.
o IfDrop: number of packets dropped by the interface during the
capture due to lack of resources.
o FilterAccept: number of packets accepeted by filter during current
capture.
o OSDrop: number of packets dropped by the operating system during
the capture.
o UsrDelivered: number of packets delivered to the user.
UsrDelivered can be different from the value 'FilterAccept -
OSDropped' because some packets could still lay in the OS buffers
when the capture ended.
Degioanni & Risso Expires August 30, 2004 [Page 19]
Internet-Draft PCAP New Generation Dump File Format March 2004
o Interface ID: reference to an Interface Description Block.
o Reserved: Reserved to future use.
o Options: optionally, a list of options (formatted according to the
rules defined in Section 4) can be present.
In addiction to the options defined in Section 4, the following
options are valid within this block:
+----------------+----------------+----------------+----------------+
| Name | Code | Length | Description |
+----------------+----------------+----------------+----------------+
| isb_starttime | 2 | 8 | Time in which |
| | | | the capture |
| | | | started; time |
| | | | will be stored |
| | | | in two blocks |
| | | | of four bytes |
| | | | each, |
| | | | containing the |
| | | | timestamp in |
| | | | seconds and |
| | | | nanoseconds. |
| | | | |
| isb_endtime | 3 | 8 | Time in which |
| | | | the capture |
| | | | started; time |
| | | | will be stored |
| | | | in two blocks |
| | | | of four bytes |
| | | | each, |
| | | | containing the |
| | | | timestamp in |
| | | | seconds and |
| | | | nanoseconds. |
+----------------+----------------+----------------+----------------+
Degioanni & Risso Expires August 30, 2004 [Page 20]
Internet-Draft PCAP New Generation Dump File Format March 2004
4. Options
Almost all blocks have the possibility to embed optional fields.
Optional fields can be used to insert some information that may be
useful when reading data, but that it is not really needed for packet
processing. Therefore, each tool can be either read the content of
the optional fields (if any), or skip them at once.
Skipping all the optional fields at once is straightforward because
most of the blocks have a fixed length, therefore the field Block
Length (present in the General Block Structure, see Section 2.1) can
be used to skip everything till the next block.
Options are a list of Type - Length - Value fields, each one
containing a single value:
o Option Type (2 bytes): it contains the code that specifies the
type of the current TLV record. Option types whose Most
Significant Bit is equal to one are reserved for local use;
therefore, there is no guarantee that the code used is unique
among all capture files (generated by other applications). In case
of vendor-specific extensions that have to be identified uniquely,
vendors must request an Option Code whose MSB is equal to zero.
o Option Length (2 bytes): it contains the length of the following
'Option Value' field.
o Option Value (variable length): it contains the value of the given
option. The length of this field as been specified by the Option
Length field.
Options may be repeated several times (e.g. an interface that has
several IP addresses associated to it). The option list is terminated
by a special code which is the 'End of Option'.
The format of the optional fields is shown in Figure 9.
Degioanni & Risso Expires August 30, 2004 [Page 21]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Value |
| /* variable length, byte-aligned */ |
| + + + + + + + + + + + + + + + + + + + + + + + + +
| / / / |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ . . . other options . . . /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code == opt_endofopt | Option Length == 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: Options format.
The following codes can always be present in any optional field:
+----------------+----------------+----------------+----------------+
| Name | Code | Length | Description |
+----------------+----------------+----------------+----------------+
| opt_endofopt | 0 | 0 | End of |
| | | | options: it is |
| | | | used to |
| | | | delimit the |
| | | | end of the |
| | | | optional |
| | | | fields. This |
| | | | block cannot |
| | | | be repeated |
| | | | within a given |
| | | | list of |
| | | | options. |
| | | | |
| opt_comment | 1 | variable | Comment: it is |
| | | | an ascii |
| | | | string |
| | | | containing a |
| | | | comment that |
| | | | is associated |
| | | | to the current |
| | | | block. |
+----------------+----------------+----------------+----------------+
Degioanni & Risso Expires August 30, 2004 [Page 22]
Internet-Draft PCAP New Generation Dump File Format March 2004
5. Experimental Blocks (deserved to a further investigation)
5.1 Other Packet Blocks (experimental)
Can some other packet blocks (besides the two described in the
previous paragraphs) be useful?
5.2 Compression Block (experimental)
The Compression Block is optional. A file can contain an arbitrary
number of these blocks. A Compression Block, as the name says, is
used to store compressed data. Its format is shown in Figure 10.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Compr. Type | |
+-+-+-+-+-+-+-+-+ |
| |
| Compressed Data |
| |
| /* variable length, byte-aligned */ |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: Compression Block format.
The fields have the following meaning:
o Compression Type: specifies the compression algorithm. Possible
values for this field are 0 (uncompressed), 1 (Lempel Ziv), 2
(Gzip), other?? Probably some kind of dumb and fast compression
algorithm could be effective with some types of traffic (for
example web), but which?
o Compressed Data: data of this block. Once decompressed, it is made
of other blocks.
5.3 Encryption Block (experimental)
The Encryption Block is optional. A file can contain an arbitrary
number of these blocks. An Encryption Block is used to sotre
encrypted data. Its format is shown in Figure 11.
Degioanni & Risso Expires August 30, 2004 [Page 23]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encr. Type | |
+-+-+-+-+-+-+-+-+ |
| |
| Compressed Data |
| |
| /* variable length, byte-aligned */ |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: Encryption Block format.
The fields have the following meaning:
o Compression Type: specifies the encryption algorithm. Possible
values for this field are ??? NOTE: this block should probably
contain other fields, depending on the encryption algorithm. To be
define precisely.
o Encrypted Data: data of this block. Once decripted, it consists of
other blocks.
5.4 Fixed Length Block (experimental)
The Fixed Length Block is optional. A file can contain an arbitrary
number of these blocks. A Fixed Length Block can be used to optimize
the access to the file. Its format is shown in Figure 12. A Fixed
Length Block stores records with constant size. It contains a set of
Blocks (normally Packet Blocks or Simple Packet Blocks), of wihich it
specifies the size. Knowing this size a priori helps to scan the file
and to load some portions of it without truncating a block, and is
particularly useful with cell-based networks like ATM.
Degioanni & Risso Expires August 30, 2004 [Page 24]
Internet-Draft PCAP New Generation Dump File Format March 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cell Size | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| Fixed Size Data |
| |
| /* variable length, byte-aligned */ |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12: Fixed Length Block format.
The fields have the following meaning:
o Cell size: the size of the blocks contained in the data field.
o Fixed Size Data: data of this block.
5.5 Directory Block (experimental)
If present, this block contains the following information:
o number of indexed packets (N)
o table with position and length of any indexed packet (N entries)
A directory block must be followed by at least N packets, otherwise
it must be considered invalid. It can be used to efficiently load
portions of the file to memory and to support operations on memory
mapped files. This block can be added by tools like network analyzers
as a consequence of file processing.
5.6 Traffic Statistics and Monitoring Blocks (experimental)
One or more blocks could be defined to contain network statistics or
traffic monitoring information. They could be use to store data
collected from RMON or Netflow probes, or from other network
monitoring tools.
5.7 Event/Security Block (experimental)
This block could be used to store events. Events could contain
generic information (for example network load over 50%, server
down...) or security alerts. An event could be:
Degioanni & Risso Expires August 30, 2004 [Page 25]
Internet-Draft PCAP New Generation Dump File Format March 2004
o skipped, if the application doesn't know how to do with it
o processed independently by the packets. In other words, the
applications skips the packets and processes only the alerts
o processed in relation to packets: for example, a security tool
could load only the packets of the file that are near a security
alert; a monitorg tool could skip the packets captured while the
server was down.
Degioanni & Risso Expires August 30, 2004 [Page 26]
Internet-Draft PCAP New Generation Dump File Format March 2004
6. Conclusions
The file format proposed in this document should be very versatile
and satisfy a wide range of applications. In the simplest case, it
can contain a raw dump of the network data, made of a series of
Simple Packet Blocks. In the most complex case, it can be used as a
repository for heterogeneous information. In every case, the file
remains easy to parse and an application can always skip the data it
is not interested in; at the same time, different applications can
share the file, and each of them can benfit of the information
produced by the others. Two or more files can be concatenated
obtaining another valid file.
Degioanni & Risso Expires August 30, 2004 [Page 27]
Internet-Draft PCAP New Generation Dump File Format March 2004
7. Most important open issues
o Data, in the file, must be byte or word aligned? Currently, the
structure of this document is not consistent with respect to this
point.
Degioanni & Risso Expires August 30, 2004 [Page 28]
Internet-Draft PCAP New Generation Dump File Format March 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Degioanni & Risso Expires August 30, 2004 [Page 29]
Internet-Draft PCAP New Generation Dump File Format March 2004
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Degioanni & Risso Expires August 30, 2004 [Page 30]