Wireshark-dev: [Wireshark-dev] pcapng options
From: Marc Petit-Huguenin <marc@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Nov 2012 13:28:44 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I am writing an external program that is reading a pcapng file generated by
editcap.  The spec for pcapng[1] describes the options as a list of TLV ended
by the opt_endofopt type, so one may think that the minimal option list is the
empty list 0x00000000.  But a file (generated by editcap) containing no option
in the EnhancedPacket block does not contain even an empty list.  There is a
redundancy here - if the presence of an option list is determined by the size
of the block, then opt_endofopt is redundant as the end of list can be
determined from the block size (and in all cases, opt_endofopt still looks
redundant)

So, is editcap right to not put an empty list after the captured packet? and
if it is the case, then what is the point of opt_endofopt?

Thanks.


[1] https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
- -- 
Marc Petit-Huguenin
Email: marc@xxxxxxxxxxxxxxxxxx
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQktt7AAoJECnERZXWan7E/K0P/j/HE/5vkOQAyB2vLi83qSvw
CXrlZUFloMw0Sv1CsHYdaRFQiiybzZe8A0A6ef00uSXI0M2TRbp55nR1huk33OcO
7JXyJdVRwH6A1+zKk0u06YnAXPmgbAuqVhCHE0UAqUOmok6GWRTlaCpC6qxuS1qO
lG7pg7YuI/S6SAgbqzZ1FPyOonvZhr5wGqMiucg9KNP07VrH/jwowMRbZZR7YQbY
Pt7OVksUM5gkkMogLIblJUYYAKkahDMYfAaVdtAM1Lc4zCXJnT9Rzn+LdQwC52iL
XSV/onG33p9IVyxxksOgFm09fk2lF6y7XK3WuEPhey6ZGLj2dZOu85CMhuv+R9Uz
HRp6rzwnhzuRiqa4gillNMxEXWUJlY9zIlZztvcG0r+IGP6RYHYtv5QdM7SFdCKE
vdUQ5FiurxS4hL+EBFdEmansoTroTbzszyZFCl+lU79mjo/OQKM9OK1X//nwEqZu
fDbKc6gJXJ2vZheaNAgpYk84epcuMowO6qHwtQUjSPgIuFtQSD+XXT+9kXq/r946
N5UxhHhR0/zBuhXfvYhfL1mOF5ngR7A1wV9rVUy3UtgCfzqAB7b6LxU/7CN+DXXN
D9zUe6AeAGtOaiFnjlCEd37oFm0vTzF+O6Gqhxmc5yUugcEc7J55GLr8BGfwvOTf
54nMQQmtqG8ZISCFkh5M
=YxpU
-----END PGP SIGNATURE-----