eqvinox
commented
12 months ago Can you rebase and fix the TBD?
done
Open eqvinox opened 1 year ago
eqvinox
commented
12 months ago Can you rebase and fix the TBD?
done
guyharris
commented
12 months ago A URL change needs to be made:
guyharris
commented
12 months ago If the block contains options, there MUST be at least one byte of zero padding present to mark the end of the journal entry. This only makes a difference if the journal entry is a multiple of four octets long, in this case 4 bytes of zero padding MUST be appended. Blocks without options do not contain any zero padding if the journal entry is a multiple of 4 octets long, therefore readers MUST NOT rely on the presence of a zero byte to terminate the entry.
So what is the algorithm that a pcapng reader would use to find the end of the journal entry?
Search for a zero byte, starting at the beginning of the Journal Entry field and ending just before the beginning of the Block Total Length field.
If a zero byte is not found, the entry ends before the Block Total Length field (as it's not padded).
If a zero byte is found, the entry ends before the zero byte; skip over zero bytes until you're at a 4-byte boundary. If the Block Total Length field follows the entry, there are no options; otherwise, the options begin on that 4-byte boundary and run until the Block Total Length field.
mcr
commented
12 months ago wish we could put the options first....
eqvinox
commented
12 months ago A URL change needs to be made: […]
Search for a zero byte, starting at the beginning of the Journal Entry field and ending just before the beginning of the Block Total Length field.
Yes — if there's any zero bytes, options start at the 4-byte boundary following the first zero byte. To be clear, if any options are present, there will be 1 to 4 zero bytes of padding. If without any zero bytes, the entry ends at a 4-byte boundary, there will be 4 bytes of zero padding. Otherwise how would you tell the entry has in fact ended…
wish we could put the options first....
Yup, that'd make things a lot easier :cry: … sadly the format is already established without options…
Can't currently put options on captured log messages... (Also adding a nanosecond timestamp in the next commit.)
Really want to add a comment on some log messages :smile:
I'm fully aware wireshark (aka the primary pcap-ng editing tool) doesn't support this yet, I just feel like specifying out things before implementing them. I may code this up for wireshark in a bit. It currently ignores the "trailing garbage" (my generator already tries generating comments because I didn't check that the journal block actually supports options…)
I'm 99.9% sure this shouldn't cause any compatibility problems; any reader or writer unaware of the options would still process the blocks correctly. Even if a writer was previously generating "excessive" padding (0…3 + n*4 zero bytes), it would just be read as end-of-options. Doing it this way should make existing readers just ignore the options.
No idea how to make the cross-document reference to
section_optwork :disappointed: