Open guyharris opened 6 years ago
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
guyharris
commented
1 year ago @geraldcombs: I'd really like to have all pcapng blocks that don't have block types in the reserved-for-local-use be documented either in the pcapng spec or in the "additional block types" spec. The types used by Sysdig's software probably belong in the "additional block types" spec rather than the core pcapng spec.
(In the future, if you don't want to have to document it in any pcapng spec, you could grab a Private Enterprise Number and use Custom Blocks; however, the existing blocks are already out there in the wild, so they should be documented, at minimum, to the extent that their block type values are not available for assignment to another block type.)
I've listed the block numbers from the current source code in the current version of the pcapng spec; please document the formats of those blocks so that 1) the spec can point to the documentation and 2) people who want to write code to process those blocks can do so.
BTW, the event block has a length field in it; is the intent that events can be cut off by a snapshot length, similar to how packets can be cut off by a snapshot length, so that the event length could be greater than the remaining amount of data in the block, or is the intent that options can follow the event data, so that the event length could be less than the remaining amount of data in the block?