search

IETF-OPSAWG-WG / draft-ietf-opsawg-pcap

PCAP next generation file format specification
Other
272 stars 62 forks source link

Sysdig Standardized Block Type Codes #165

Closed bubbasnmp closed 4 days ago

bubbasnmp commented 4 days ago

Is it correct that the Sysdig block numbers did not increment as hexadecimal numbers? 

0x00000209  Sysdig Process Info Block, version 3
0x00000210  Sysdig Process Info Block, version 4

Why not: 

0x00000209  Sysdig Process Info Block, version 3
0x0000020A  Sysdig Process Info Block, version 4

https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-03.html#name-standardized-block-type-cod 

0x00000201  Sysdig Machine Info Block
0x00000202  Sysdig Process Info Block, version 1
0x00000203  Sysdig FD List Block
0x00000204  Sysdig Event Block
0x00000205  Sysdig Interface List Block
0x00000206  Sysdig User List Block
0x00000207  Sysdig Process Info Block, version 2
0x00000208  Sysdig Event Block with flags
0x00000209  Sysdig Process Info Block, version 3
0x00000210  Sysdig Process Info Block, version 4
0x00000211  Sysdig Process Info Block, version 5
0x00000212  Sysdig Process Info Block, version 6
0x00000213  Sysdig Process Info Block, version 7
guyharris commented 4 days ago

@geraldcombs? @ldegio?

bubbasnmp commented 4 days ago

I'm still learning my way around. Assuming this is the master source for libscap.
https://github.com/falcosecurity/libs/blob/master/userspace/libscap/scap_savefile.h#L100

#define PL_BLOCK_TYPE_V4 0x210

guyharris commented 4 days ago

It appears that the code does, in fact, go from 0x209 to 0x0210, in which case the spec should reflect that.

bubbasnmp commented 3 days ago

Is this the most current spec: https://datatracker.ietf.org/doc/draft-ietf-opsawg-pcapng/ ?
It goes up to 0x00000213.

wiretap/pcapng_module.h has entries up to 0x00000222 with another jump from 0x00000219 to 0x00000220.

guyharris commented 3 days ago

https://datatracker.ietf.org/doc/draft-ietf-opsawg-pcapng/ is the current version of the Internet-Draft.

https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcap.html is produced from the tip of the main branch.

(If this were a software product, the first of those would be the current release, and the latter would be what you get if you build from the repository. :-))

packetfoo commented 3 days ago

@geraldcombs? @ldegio?

Not sure how that one happened - back then (in February 2014) Loris asked for block numbers and we agreed on 0x200-0x206 at the time, per email. I didn't find anything regarding higher numbers being added later.

guyharris commented 3 days ago

Not sure how that one happened

"That" as in "Sysdig adding additional block types" or "adding those block types to the specification"?

packetfoo commented 2 days ago

Not sure how that one happened

"That" as in "Sysdig adding additional block types" or "adding those block types to the specification"?

As in "Sysdig adding additional block types". I added the first block types to the specification in agreement wit Loris, which may not have been an ideal way of proceeding. I didn't know a better way back at the time.