From defc5423c3ba9c93651a07afb901792844b6b355 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Tue, 5 Mar 2024 00:46:42 -0800 Subject: [PATCH] Don't suggest that the Original Packet Length is an "on-the-wire" length. The data in a packet isn't necessarily data exactly as it is on the network; once upon a time, the data provided when capturing corresponded to the octets "on the wire" or "on the air" at the data link layer, but, now, the data provided when capturing might: * include a metadata header that doesn't show up on the wire/air; * be the result of ATM AAL5 reassembly rather than just be raw cells; * represent a USB transaction as seen by the host rather than raw USB traffic; * include padding between chunks of data in an isochronous USB transfer; * etc. And even in the old days, the data might, or might not, include the CRC at the end of a packet. Don't encourage people to think that the Original Packet Length field corresponds to the length on the wire, as it might not. Clean up some other stuff while we're at it. --- draft-ietf-opsawg-pcap.md | 30 +++++++++++++++++------------- draft-ietf-opsawg-pcapng.md | 26 ++++++++++++++------------ 2 files changed, 31 insertions(+), 25 deletions(-) diff --git a/draft-ietf-opsawg-pcap.md b/draft-ietf-opsawg-pcap.md index 09a4e41..388c9bd 100644 --- a/draft-ietf-opsawg-pcap.md +++ b/draft-ietf-opsawg-pcap.md @@ -150,7 +150,7 @@ SnapLen (32 bits): : an unsigned value indicating the maximum number of octets captured from each packet. The portion of each packet that exceeds this value will not be stored in the file. This value MUST NOT be zero; if no -limit was specified, the value should be a number greater than or equal +limit was specified, the value SHOULD be a number greater than or equal to the largest packet length in the file. LinkType and additional information (32 bits): @@ -239,30 +239,34 @@ of packets in that file are in units of microseconds or nanoseconds. Captured Packet Length (32 bits): : an unsigned value that indicates the number of octets captured from -the packet (i.e. the length of the Packet Data field). It will be the +the packet (i.e., the length of the Packet Data field). It will be the minimum value among the Original Packet Length and the snapshot length for the interface (SnapLen, defined in Figure 1). Original Packet Length (32 bits): -: an unsigned value that indicates the actual length of the packet when -it was transmitted on the network. It can be different from the -Captured Packet Length if the packet has been truncated by the capture -process; it SHOULD NOT be less than the Captured Packet Length. +: an unsigned value that indicates the number of octets of packet data +that would have been provided had the packet not been truncated to the +snapshot length for the interface or to a length limit imposed by the +capture mechanism. If no truncation was done, it will be the same as +the Captured Packet Length, but it will be different from the Captured +Packet Length if the packet has been truncated by the capture process. +It SHOULD NOT be less than the Captured Packet Length. : A pcap file writer MAY write an Original Packet Length that is less than the Captured Packet Length if both the Captured Packet Length and the Original Packet length came from a file in which a packet had an Original Packet Length less than the Captured Packet Length; otherwise, it MUST write an Original Packet Length that is greater than or equal to the Captured Packet Length. -: A pcap file reader MAY convert an Original -Packet Length that is less than the Captured Packet Length to a value -that is greater than or equal to the Captured Packet Length. +: A pcap file reader MAY convert an Original Packet Length that is less +than the Captured Packet Length to a value that is greater than or equal +to the Captured Packet Length. Packet Data: -: the data coming from the network, including link-layer headers. The -actual length of this field is Captured Packet Length. The format of -the link-layer headers depends on the LinkType field specified in the -file header (see Figure 1) and it is specified in {{I-D.ietf-opsawg-pcaplinktype}}. +: the data coming from the network, including link-layer headers. The +actual length of this field is the Captured Packet Length. The format +of the link-layer headers depends on the LinkType field specified in the +file header (see Figure 1) and it is specified in +{{I-D.ietf-opsawg-pcaplinktype}}. Packet Records are not padded to a 4-octet boundary; if the number of octets of packet data is not a multiple of 4, there are no padding diff --git a/draft-ietf-opsawg-pcapng.md b/draft-ietf-opsawg-pcapng.md index e3c2abf..e99efa8 100644 --- a/draft-ietf-opsawg-pcapng.md +++ b/draft-ietf-opsawg-pcapng.md @@ -1308,19 +1308,21 @@ The Enhanced Packet Block has the following fields: * Captured Packet Length (32 bits): an unsigned value that indicates the number of octets captured from the packet - (i.e. the length of the Packet Data field). It will be the + (i.e., the length of the Packet Data field). It will be the minimum value among the Original Packet Length and the - snapshot length for the interface (SnapLen, defined in {{format_idb}}). The value of this field does - not include the padding octets added at the end of the Packet - Data field to align the Packet Data field to a 32-bit - boundary. - -* Original Packet Length (32 bits): an unsigned value that - indicates the actual length of the packet when it was - transmitted on the network. It can be different from - the Captured Packet Length if the packet has been truncated - by the capture process; it SHOULD NOT be less than the Captured Packet - Length. + snapshot length for the interface (SnapLen, defined in + {{format_idb}}). The value of this field does not include the padding + octets added at the end of the Packet Data field to align the Packet + Data field to a 32-bit boundary. + +* Original Packet Length (32 bits): an unsigned value that indicates the + number of octets of packet data that would have been provided had the + packet not been truncated to the snapshot length for the interface or + to a length limit imposed by the capture mechanism. If no truncation + was done, it will be the same as the Captured Packet Length, but it + will be different from the Captured Packet Length if the packet has + been truncated by the capture process. It SHOULD NOT be less than the + Captured Packet Length. A pcapng file writer MAY write an Original Packet Length that is less than the Captured Packet Length if both the Captured Packet Length and