Internet DRAFT - draft-ietf-opsawg-pcapng

draft-ietf-opsawg-pcapng







Network Working Group                                     M. Tuexen, Ed.
Internet-Draft                          Muenster Univ. of Appl. Sciences
Intended status: Informational                                  F. Risso
Expires: 24 January 2024                           Politecnico di Torino
                                                             J. Bongertz
                                                 Airbus DS CyberSecurity
                                                                G. Combs
                                                               Wireshark
                                                               G. Harris
                                                                        
                                                             E. Chaudron
                                                                 Red Hat
                                                           M. Richardson
                                                               Sandelman
                                                            23 July 2023


           PCAP Next Generation (pcapng) Capture File Format
                      draft-ietf-opsawg-pcapng-01

Abstract

   This document describes a format to record captured packets to a
   file.  This format is extensible; Wireshark can currently read and
   write it, and libpcap can currently read some pcapng files.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-ietf-opsawg-pcapng/.

   Discussion of this document takes place on the opsawg Working Group
   mailing list (mailto:opsawg@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/opsawg/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/opsawg/.

   Source for this draft and an issue tracker can be found at
   https://github.com/IETF-OPSAWG-WG/pcapng.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.






Tuexen, et al.           Expires 24 January 2024                [Page 1]

Internet-Draft                   pcapng                        July 2023


   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 January 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Acronyms  . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  General File Structure  . . . . . . . . . . . . . . . . . . .   4
     3.1.  General Block Structure . . . . . . . . . . . . . . . . .   4
     3.2.  Block Types . . . . . . . . . . . . . . . . . . . . . . .   5
     3.3.  Logical Block Hierarchy . . . . . . . . . . . . . . . . .   7
     3.4.  Physical File Layout  . . . . . . . . . . . . . . . . . .   7
     3.5.  Options . . . . . . . . . . . . . . . . . . . . . . . . .   9
       3.5.1.  Custom Options  . . . . . . . . . . . . . . . . . . .  12
     3.6.  Data format . . . . . . . . . . . . . . . . . . . . . . .  13
       3.6.1.  Endianness  . . . . . . . . . . . . . . . . . . . . .  13
       3.6.2.  Alignment . . . . . . . . . . . . . . . . . . . . . .  14
       3.6.3.  Strings . . . . . . . . . . . . . . . . . . . . . . .  14
   4.  Block Definition  . . . . . . . . . . . . . . . . . . . . . .  14
     4.1.  Section Header Block  . . . . . . . . . . . . . . . . . .  14
     4.2.  Interface Description Block . . . . . . . . . . . . . . .  18
     4.3.  Enhanced Packet Block . . . . . . . . . . . . . . . . . .  25
       4.3.1.  Enhanced Packet Block Flags Word  . . . . . . . . . .  30
     4.4.  Simple Packet Block . . . . . . . . . . . . . . . . . . .  31



Tuexen, et al.           Expires 24 January 2024                [Page 2]

Internet-Draft                   pcapng                        July 2023


     4.5.  Name Resolution Block . . . . . . . . . . . . . . . . . .  33
     4.6.  Interface Statistics Block  . . . . . . . . . . . . . . .  37
     4.7.  Decryption Secrets Block  . . . . . . . . . . . . . . . .  40
     4.8.  Custom Block  . . . . . . . . . . . . . . . . . . . . . .  44
   5.  Vendor-Specific Custom Extensions . . . . . . . . . . . . . .  46
     5.1.  Supported Use-Cases . . . . . . . . . . . . . . . . . . .  46
     5.2.  Controlling Copy Behavior . . . . . . . . . . . . . . . .  46
     5.3.  Strings vs. Octets  . . . . . . . . . . . . . . . . . . .  47
     5.4.  Endianness Issues . . . . . . . . . . . . . . . . . . . .  47
   6.  Recommended File Name Extension: .pcapng  . . . . . . . . . .  48
   7.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .  49
   8.  Implementations . . . . . . . . . . . . . . . . . . . . . . .  49
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  49
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  49
     10.1.  Standardized Block Type Codes  . . . . . . . . . . . . .  49
   11. Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  52
   12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  52
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  52
     13.1.  Normative References . . . . . . . . . . . . . . . . . .  52
     13.2.  Informative References . . . . . . . . . . . . . . . . .  53
   Appendix A.  Packet Block (obsolete!) . . . . . . . . . . . . . .  53
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  56

1.  Introduction

   The problem of exchanging packet traces becomes more and more
   critical every day; unfortunately, no standard solutions exist for
   this task right now.  One of the most accepted packet interchange
   formats is the one defined by libpcap, which is rather old and is
   lacking in functionality for more modern applications particularly
   from the extensibility point of view.

   This document proposes a new format for recording packet traces.  The
   following goals are being pursued:

   Extensibility:  It should be possible to add new standard
      capabilities to the file format over time, and third parties
      should be able to enrich the information embedded in the file with
      proprietary extensions, with tools unaware of newer extensions
      being able to ignore them.

   Portability:  A capture trace must contain all the information needed
      to read data independently from network, hardware and operating
      system of the machine that made the capture.

   Merge/Append data:  It should be possible to add data at the end of a
      given file, and the resulting file must still be readable.




Tuexen, et al.           Expires 24 January 2024                [Page 3]

Internet-Draft                   pcapng                        July 2023


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.1.  Acronyms

   The following acronyms are used throughout this document:

   SHB:  Section Header Block

   IDB:  Interface Description Block

   ISB:  Interface Statistics Block

   EPB:  Enhanced Packet Block

   SPB:  Simple Packet Block

   NRB:  Name Resolution Block

   CB:  Custom Block

3.  General File Structure

3.1.  General Block Structure

   A capture file is organized in blocks, that are appended one to
   another to form the file.  All the blocks share a common format,
   which is shown in Figure 1.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                          Block Type                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 /                          Block Body                           /
      /              variable length, padded to 32 bits               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 1: Basic block structure.



Tuexen, et al.           Expires 24 January 2024                [Page 4]

Internet-Draft                   pcapng                        July 2023


   The fields have the following meaning:

   *  Block Type (32 bits): a unique unsigned value that identifies the
      block.  Values whose Most Significant Bit (MSB) is equal to 1 are
      reserved for local use.  They can be used to make extensions to
      the file format to save private data to the file.  The list of
      currently defined types can be found in Section 10.1.

   *  Block Total Length (32 bits): an unsigned value giving the total
      size of this block, in octets.  For instance, the length of a
      block that does not have a body is 12 octets: 4 octets for the
      Block Type, 4 octets for the initial Block Total Length and 4
      octets for the trailing Block Total Length.  This value MUST be a
      multiple of 4.

   *  Block Body: content of the block.

   *  Block Total Length: total size of this block, in octets.  This
      field is duplicated to permit backward file navigation.

   This structure, shared among all blocks, makes it easy to process a
   file and to skip unneeded or unknown blocks.  Some blocks can contain
   other blocks inside (nested blocks).  Some of the blocks are
   mandatory, i.e. a capture file is not valid if they are not present,
   other are optional.

   The General Block Structure allows defining other blocks if needed.
   A parser that does not understand them can simply ignore their
   content.

3.2.  Block Types

   The currently standardized Block Type codes are specified in
   Section 10.1; they have been grouped in the following four
   categories:

   (1) Mandatory: The following block MUST appear at least once in each
   file:

   *  Section Header Block (Section 4.1): it defines the most important
      characteristics of the capture file.

   (2) Optional: The following blocks MAY appear in a file:

   *  Interface Description Block (Section 4.2): it defines the most
      important characteristics of the interface(s) used for capturing
      traffic.  This block is required in certain cases, as described
      later.



Tuexen, et al.           Expires 24 January 2024                [Page 5]

Internet-Draft                   pcapng                        July 2023


   *  Enhanced Packet Block (Section 4.3): it contains a single captured
      packet, or a portion of it.  It represents an evolution of the
      original, now obsolete, Packet Block (Appendix A).  If this
      appears in a file, an Interface Description Block is also
      required, before this block.

   *  Simple Packet Block (Section 4.4): it contains a single captured
      packet, or a portion of it, with only a minimal set of information
      about it.  If this appears in a file, an Interface Description
      Block is also required, before this block.

   *  Name Resolution Block (Section 4.5): it defines the mapping from
      numeric addresses present in the packet capture and the canonical
      name counterpart.

   *  Interface Statistics Block (Section 4.6): it defines how to store
      some statistical data (e.g. packet dropped, etc) which can be
      useful to understand the conditions in which the capture has been
      made.  If this appears in a file, an Interface Description Block
      is also required, before this block.

   *  Custom Block (Section 4.8): it contains vendor-specific data in a
      portable fashion.

   (3) Obsolete: The following block SHOULD NOT appear in newly written
   files (but is documented in the Appendix for reference):

   *  Packet Block (Appendix A): it contains a single captured packet,
      or a portion of it.  It is OBSOLETE, and superseded by the
      Enhanced Packet Block (Section 4.3).

   (4) Experimental: The following blocks are considered interesting but
   the authors believe that they deserve more in-depth discussion before
   being defined:

   *  Alternative Packet Blocks

   *  Compression Block

   *  Encryption Block

   *  Fixed Length Block

   *  Directory Block

   *  Traffic Statistics and Monitoring Blocks

   *  Event/Security Blocks



Tuexen, et al.           Expires 24 January 2024                [Page 6]

Internet-Draft                   pcapng                        July 2023


   Requests for new standardized Block Type codes should be made by
   creating a pull request to update this document as described in
   Section 10.1.

3.3.  Logical Block Hierarchy

   The blocks build a logical hierarchy as they refer to each other.
   Figure 2 shows the logical hierarchy of the currently defined blocks
   in the form of a "tree view":

   Section Header
   |
   +- Interface Description
   |  +- Simple Packet
   |  +- Enhanced Packet
   |  +- Interface Statistics
   |
   +- Name Resolution

             Figure 2: Logical Block Hierarchy of a pcapng File

   For example: each captured packet refers to a specific capture
   interface, the interface itself refers to a specific section.

3.4.  Physical File Layout

   The file MUST begin with a Section Header Block.  However, more than
   one Section Header Block can be present in the capture file, each one
   covering the data following it until the next one (or the end of
   file).  A Section includes the data delimited by two Section Header
   Blocks (or by a Section Header Block and the end of the file),
   including the first Section Header Block.

   In case an application cannot read a Section because of different
   version number, it MUST skip everything until the next Section Header
   Block.  Note that, in order to properly skip the blocks until the
   next section, all blocks MUST have the fields Type and Length at the
   beginning.  In order to properly skip blocks in the backward
   direction, all blocks MUST have the Length repeated at the end of the
   block.  These are mandatory requirements that MUST be maintained in
   future versions of the block format.

   Figure 3 shows a typical file layout, with a single Section Header
   that covers the whole file.

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | SHB v1.0  |                      Data                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



Tuexen, et al.           Expires 24 January 2024                [Page 7]

Internet-Draft                   pcapng                        July 2023


       Figure 3: File structure example: Typical layout with a single
                            Section Header Block

   Figure 4 shows a file that contains three headers, and is normally
   the result of file concatenation.  An application that understands
   only version 1.0 of the file format skips the intermediate section
   and restart processing the packets after the third Section Header.

   |--   1st Section   --|--   2nd Section   --|--  3rd Section  --|
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | SHB v1.0  |  Data   | SHB V1.1  |  Data   | SHB V1.0  |  Data |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Figure 4: File structure example: three Section Header Blocks in
                               a single file

   Figure 5 shows a file comparable to a "classic libpcap" file - the
   minimum for a useful capture file.  It contains a single
   Section Header Block (SHB), a single Interface Description Block
   (IDB) and a few Enhanced Packet Blocks (EPB).

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | SHB | IDB | EPB | EPB |    ...    | EPB |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        Figure 5: File structure example: a pcapng file similar to a
                           classical libpcap file

   Figure 6 shows a complex example file.  In addition to the minimum
   file above, it contains packets captured from three interfaces,
   capturing on the third of which begins after packets have arrived on
   other interfaces, and also includes some Name Resolution Blocks (NRB)
   and an Interface Statistics Block (ISB).

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | SHB | IDB | IDB | EPB | NRB |...| IDB | EPB | ISB | NRB | EPB |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

           Figure 6: File structure example: complex pcapng file

   The last example should make it obvious that the block structure
   makes the file format very flexible compared to the classical libpcap
   format.







Tuexen, et al.           Expires 24 January 2024                [Page 8]

Internet-Draft                   pcapng                        July 2023


3.5.  Options

   All the block bodies MAY embed optional fields.  Optional fields can
   be used to insert some information that may be useful when reading
   data, but that is not really needed for packet processing.
   Therefore, each tool can either read the content of the optional
   fields (if any), or skip some of them or even all at once.

   A block that may contain options must be structured so that the
   number of octets of data in the Block Body that precede the options
   can be determined from that data; that allows the beginning of the
   options to be found.  That is true for all standard blocks that
   support options; for Custom Blocks that support options, the Custom
   Data must be structured in such a fashion.  This means that the Block
   Length field (present in the General Block Structure, see
   Section 3.1) can be used to determine how many octets of optional
   fields, if any, are present in the block.  That number can be used to
   determine whether the block has optional fields (if it is zero, there
   are no optional fields), to check, when processing optional fields,
   whether any optional fields remain, and to skip all the optional
   fields at once.

   Options are a list of Type - Length - Value fields, each one
   containing a single value:

   *  Option Type (16 bits): an unsigned value that contains the code
      that specifies the type of the current TLV record.  Option types
      whose Most Significant Bit is equal to one are reserved for local
      use; therefore, there is no guarantee that the code used is unique
      among all capture files (generated by other applications), and is
      most certainly not portable.  For cross-platform globally unique
      vendor-specific extensions, the Custom Option MUST be used
      instead, as defined in Section 3.5.1).

   *  Option Length (16 bits): an unsigned value that contains the
      actual length of the following 'Option Value' field without the
      padding octets.

   *  Option Value (variable length): the value of the given option,
      padded to a 32-bit boundary.  The actual length of this field
      (i.e. without the padding octets) is specified by the Option
      Length field.

   Requests for new standardized option codes for a given block should
   be made by creating a pull request to update this document as
   described in Section 10.1.





Tuexen, et al.           Expires 24 January 2024                [Page 9]

Internet-Draft                   pcapng                        July 2023


   A given option may have a fixed length, in which case all instances
   of that option have a length that is equal to the specified fixed
   length, or a variable length, in which case the option has a minimum
   length and all instances of that option must have a length equal to
   or greater than the specified minimum length.  The length of fixed-
   length options, and the minimum length of variable-length options, is
   specified in the description of the option; if the minimum length of
   a variable-length option is not specified, a zero-length option is
   valid.  Software that reads these files SHOULD report options that
   have an invalid length as errors; the software MAY stop processing
   the file if it sees an option that has invalid length, or MAY ignore
   the option and continue processing it.  Software that writes these
   files MUST NOT write files with options that have invalid lengths.

   If an option's value is a string, the value is not necessarily zero-
   terminated.  Software that reads these files MUST NOT assume that
   strings are zero-terminated, and MUST treat a zero-value octet as a
   string terminator.

   Some options may be repeated several times; for example, a block can
   have multiple comments, and an Interface Description Block can give
   multiple IPv4 or IPv6 addresses for the interface if it has multiple
   IPv4 or IPv6 addresses assigned to it.  Other options may appear at
   most once in a given block.

   The option list is terminated by an option which uses the special
   'End of Option' code (opt_endofopt).  Code that writes pcapng files
   MUST put an opt_endofopt option at the end of an option list.  Code
   that reads pcapng files MUST NOT assume an option list will have an
   opt_endofopt option at the end; it MUST also check for the end of the
   block, and SHOULD treat blocks where the option list has no
   opt_endofopt option as if the option list had an opt_endofopt option
   at the end.

   The format of the optional fields is shown in Figure 7.
















Tuexen, et al.           Expires 24 January 2024               [Page 10]

Internet-Draft                   pcapng                        July 2023


                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Option Type              |         Option Length         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     /                       Option Value                            /
     /              variable length, padded to 32 bits               /
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     /                                                               /
     /                 . . . other options . . .                     /
     /                                                               /
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Option Type == opt_endofopt |   Option Length == 0          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                          Figure 7: Options Format

   The following codes can always be present in any optional field:

      +==============+=======================+===========+==========+
      | Name         | Type                  | Length    | Multiple |
      |              |                       |           | allowed? |
      +==============+=======================+===========+==========+
      | opt_endofopt | 0                     | 0         | no       |
      +--------------+-----------------------+-----------+----------+
      | opt_comment  | 1                     | variable  | yes      |
      +--------------+-----------------------+-----------+----------+
      | opt_custom   | 2988/2989/19372/19373 | variable, | yes      |
      |              |                       | minimum 4 |          |
      +--------------+-----------------------+-----------+----------+

                          Table 1: Common Options

   opt_endofopt:
           The opt_endofopt option delimits the end of the optional
           fields.  This option MUST NOT be repeated within a given list
           of options.

   opt_comment:
           The opt_comment option is a UTF-8 string containing human-
           readable comment text that is associated to the current
           block.  Line separators SHOULD be a carriage-return +
           linefeed ('\r\n') or just linefeed ('\n'); either form may
           appear and be considered a line separator.  The string is not
           zero-terminated.






Tuexen, et al.           Expires 24 January 2024               [Page 11]

Internet-Draft                   pcapng                        July 2023


   Examples: "This packet is the beginning of all of our problems",
   "Packets 17-23 showing a bogus TCP retransmission!\r\n This is
   reported in bugzilla entry 1486.\nIt will be fixed in the future.".

   opt_custom:
           This option is described in detail in Section 3.5.1.

3.5.1.  Custom Options

   Customs Options are used for portable, vendor-specific data related
   to the block they're in.  A Custom Option can be in any block type
   that can have options, can be repeated any number of times in a
   block, and may come before or after other option types - except the
   opt_endofopt option, which is always the last option.  Different
   Custom Options, of different type codes and/or different Private
   Enterprise Numbers, may be used in the same pcapng file.  See
   Section 5 for additional details.

                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Custom Option Type        |         Option Length         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                Private Enterprise Number (PEN)                |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     /                        Custom Data                            /
     /              variable length, padded to 32 bits               /
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 8: Custom Options Format

   The Custom Option has the following fields:

   *  Custom Option Type: The type code number for the Custom Option,
      which can be one of the following decimal numbers:

      2988:  
              This option type code identifies a Custom Option
              containing a UTF-8 string in the Custom Data portion.  The
              string is not zero-terminated.  This Custom Option can be
              safely copied to a new file if the pcapng file is
              manipulated by an application; otherwise 19372 should be
              used instead.  See Section 5.2 for details.

      2989:  
              This option type code identifies a Custom Option
              containing binary octets in the Custom Data portion.  This
              Custom Option can be safely copied to a new file if the



Tuexen, et al.           Expires 24 January 2024               [Page 12]

Internet-Draft                   pcapng                        July 2023


              pcapng file is manipulated by an application; otherwise
              19372 should be used instead.  See Section 5.2 for
              details.

      19372: 
              This option type code identifies a Custom Option
              containing a UTF-8 string in the Custom Data portion.  The
              string is not zero-terminated.  This Custom Option should
              not be copied to a new file if the pcapng file is
              manipulated by an application.  See Section 5.2 for
              details.

      19373: 
              This option type code identifies a Custom Option
              containing binary octets in the Custom Data portion.  This
              Custom Option should not be copied to a new file if the
              pcapng file is manipulated by an application.  See
              Section 5.2 for details.

   *  Option Length: as described in Section 3.1, this contains the
      length of the option's value, which includes the 4-octet Private
      Enterprise Number and variable-length Custom Data fields, without
      the padding octets.

   *  Private Enterprise Number: An IANA-assigned Private Enterprise
      Number identifying the organization which defined the Custom
      Option.  See Section 5.1 for details.  The PEN MUST be encoded
      using the same endianness as the Section Header Block it is within
      the scope of.

   *  Custom Data: the custom data, padded to a 32 bit boundary.

3.6.  Data format

3.6.1.  Endianness

   Data contained in each section will always be saved according to the
   characteristics (little endian / big endian) of the capturing
   machine.  This refers to all the fields that are saved as numbers and
   that span over two or more octets.

   The approach of having each section saved in the native format of the
   generating host is more efficient because it avoids translation of
   data when reading / writing on the host itself, which is the most
   common case when generating/processing capture captures.






Tuexen, et al.           Expires 24 January 2024               [Page 13]

Internet-Draft                   pcapng                        July 2023


   Please note: The endianness is indicated by the Section Header Block
   (Section 4.1).  Since this block can appear several times in a pcapng
   file, a single file can contain both endianness variants.

3.6.2.  Alignment

   All fields of this specification use proper alignment for 16- and
   32-bit values.  This makes it easier and faster to read/write file
   contents if using techniques like memory mapped files.

   The alignment octets (marked in this document e.g. with "padded to 32
   bits") MUST be filled with zeroes.

   Please note: 64-bit values are not aligned to 64-bit boundaries.
   This is because the file is naturally aligned to 32-bit boundaries
   only.  Special care MUST be taken when reading and writing such
   values.  (Note also that some 64-bit values are represented as a
   64-bit integer in the endianness of the machine that wrote the file,
   and others are represented as 2 32-bit values, one containing the
   upper 32 bits of the value and one containing the lower 32 bits of
   the value, each written as 32-bit integers in the endianness of the
   machine that wrote the file.  Neither of these formats guarantee
   64-bit alignment.)

3.6.3.  Strings

   If a string is specified as being encoded as UTF-8, software that
   reads that string MUST NOT assume that the string's value is valid
   UTF-8, and MAY discard a string that are is valid UTF-8 or MAY repair
   the string by replacing invalid octet sequences with valid sequences
   such as the sequence for a Unicode REPLACEMENT CHARACTER; software
   that writes that string fields MUST write only a valid UTF-8 string.

4.  Block Definition

   This section details the format of the blocks currently defined.

4.1.  Section Header Block

   The Section Header Block (SHB) is mandatory.  It identifies the
   beginning of a section of the capture file.  The Section Header Block
   does not contain data but it rather identifies a list of blocks
   (interfaces, packets) that are logically correlated.  Its format is
   shown in Figure 9.







Tuexen, et al.           Expires 24 January 2024               [Page 14]

Internet-Draft                   pcapng                        July 2023


                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                   Block Type = 0x0A0D0D0A                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                      Byte-Order Magic                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |          Major Version        |         Minor Version         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 |                                                               |
      |                          Section Length                       |
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   24 /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                   Figure 9: Section Header Block Format

   The meaning of the fields is:

   *  Block Type: The block type of the Section Header Block is the
      integer corresponding to the 4-char string "\n\r\r\n"
      (0x0A0D0D0A).  This particular value is used for 2 reasons:

      1.  This number is used to detect if a file has been transferred
          via FTP or HTTP from a machine to another with an
          inappropriate ASCII conversion.  In this case, the value of
          this field will differ from the standard one ("\n\r\r\n") and
          the reader can detect a possibly corrupted file.

      2.  This value is palindromic, so that the reader is able to
          recognize the Section Header Block regardless of the
          endianness of the section.  The endianness is recognized by
          reading the Byte Order Magic, which is located 8 octets after
          the Block Type.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.







Tuexen, et al.           Expires 24 January 2024               [Page 15]

Internet-Draft                   pcapng                        July 2023


   *  Byte-Order Magic (32 bits): an unsigned magic number, whose value
      is the hexadecimal number 0x1A2B3C4D.  This number can be used to
      distinguish sections that have been saved on little-endian
      machines from the ones saved on big-endian machines, and to
      heuristically identify pcapng files.

   *  Major Version (16 bits): an unsigned value, giving the number of
      the current major version of the format.  The value for the
      current version of the format is 1.

   *  Minor Version (16 bits): an unsigned value, giving the number of
      the current minor version of the format.  The value for the
      current version of the format is 0.

   *  Section Length (64 bits): a signed value specifying the length in
      octets of the following section, excluding the Section Header
      Block itself.  This field can be used to skip the section, for
      faster navigation inside large files.  If the Section Length is -1
      (0xFFFFFFFFFFFFFFFF), this means that the size of the section is
      not specified, and the only way to skip the section is to parse
      the blocks that it contains.  Please note that if this field is
      valid (i.e. not negative), its value is always a multiple of 4, as
      all the blocks are aligned to and padded to 32-bit (4 octet)
      boundaries.  Also, special care should be taken in accessing this
      field: since the alignment of all the blocks in the file is
      32-bits, this field is not guaranteed to be aligned to a 64-bit
      boundary.  This could be a problem on 64-bit processors.

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.

   Writers of pcapng files MUST NOT write SHBs with a Major Version
   other than 1 or a Minor Version other than 0.  If they do so, they
   will write a file that many readers of pcapng files, such as programs
   using libpcap to read pcapng files (including, but not limited to,
   tcpdump), Wireshark, and possibly other programs not to be able to
   read their files.

   Some pcapng file writers have used a minor version of 2, but the file
   format did not change incompatibly (new block types were added);
   Readers of pcapng files MUST treat a Minor Version of 2 as equivalent
   to a Minor Version of 0 (and, if they also write a pcapng file based
   on the results of reading one or more pcapng files, they MUST NOT, as
   per the previous sentence, write an SHB with a Minor Version of 2,
   even if they read an SHB with a Minor Version of 2).  As indicated
   above, using a minor version number other than 0 when writing a
   section of a pcapng file will produce a section that most existing
   software will not be able to read; future versions of some of that



Tuexen, et al.           Expires 24 January 2024               [Page 16]

Internet-Draft                   pcapng                        July 2023


   software will be able to read sections with a version of 1.2, but
   older copies of that software that are not updated to the latest
   version will still not be able to read them.

   The Major Version would be changed only if a new version of this
   specification, for a later major version of the file format, were
   created.  Such a version would only be created if the format were to
   change in such a way that code that reads the new format could not
   read the old format (i.e., code to read both formats would have to
   check the version number and use different code paths for the two
   formats) and code that reads the old format could not read the new
   format.  An incompatible change to the format of an existing block or
   an existing option would be such a change; the addition of a new
   block or a new option would not be such a change.  An example of such
   an incompatible change would be the addition of an additional field
   to the Section Header Block, following the Minor Version field and
   before the Snaplen field; software expecting the new SHB format would
   not correctly read the old SHB format, and software expecting the old
   SHB format would not correctly read the new SHB format.  (Note that a
   change to the SHB must leave the Block Type, Block Total Length,
   Byte-Order Magic, Major Version, and Minor Version fields at the same
   offsets from the beginning of the SHB and with the same lengths, must
   keep the value of the Block Type the same, must keep the two possible
   values of the Byte-Order Magic the same, depending on the block's
   byte order, so that the rest of the SHB can be correctly
   interpreted.)

   The Minor Version would be changed only if a new version of this
   specification, for a later minor version of the file format, were
   created.  Such a version would only be created if the format were to
   change in such a way that code that reads the new format could read
   the old format without checking the version number but code that
   reads the old format could not read all files in the new format.  A
   backward-compatible change to the format of an existing block or an
   existing option would be such a change; the addition of a new block
   or a new option would not be such a change.  An example of such a
   backward-compatible but not forward-compatible change would be a
   change to the Interface Description block (see below) to use the
   current Reserved field to indicate the presence of additional fields
   before the Options, with a zero value indicate no such fields are
   present.

   I.e., adding new block types or options would not require that either
   the Major Version or the Minor Version be changed, as code that does
   not know about the block type or option should just skip it; only if
   skipping a block or option does not work should the minor version
   number be changed.




Tuexen, et al.           Expires 24 January 2024               [Page 17]

Internet-Draft                   pcapng                        July 2023


   Aside from the options defined in Section 3.5, the following options
   are valid within this block:

          +==============+======+==========+===================+
          | Name         | Type | Length   | Multiple allowed? |
          +==============+======+==========+===================+
          | shb_hardware | 2    | variable | no                |
          +--------------+------+----------+-------------------+
          | shb_os       | 3    | variable | no                |
          +--------------+------+----------+-------------------+
          | shb_userappl | 4    | variable | no                |
          +--------------+------+----------+-------------------+

                  Table 2: Section Header Block Options

   shb_hardware:
           The shb_hardware option is a UTF-8 string containing the
           description of the hardware used to create this section.  The
           string is not zero-terminated.

   Examples: "x86 Personal Computer", "Sun Sparc Workstation".

   shb_os:
           The shb_os option is a UTF-8 string containing the name of
           the operating system used to create this section.  The string
           is not zero-terminated.

   Examples: "Windows XP SP2", "openSUSE 10.2".

   shb_userappl:
           The shb_userappl option is a UTF-8 string containing the name
           of the application used to create this section.  The string
           is not zero-terminated.

   Examples: "dumpcap V0.99.7".

   [Open issue: does a program which re-writes a capture file change the
   original hardware/os/application info?]

4.2.  Interface Description Block

   An Interface Description Block (IDB) is the container for information
   describing an interface on which packet data is captured.

   Tools that write / read the capture file associate an incrementing
   unsigned 32-bit number (starting from '0') to each Interface
   Definition Block, called the Interface ID for the interface in
   question.  This number is unique within each Section and identifies



Tuexen, et al.           Expires 24 January 2024               [Page 18]

Internet-Draft                   pcapng                        July 2023


   the interface to which the IDB refers; it is only unique inside the
   current section, so, two Sections can have different interfaces
   identified by the same Interface ID values.  This unique identifier
   is referenced by other blocks, such as Enhanced Packet Blocks and
   Interface Statistic Blocks, to indicate the interface to which the
   block refers (such the interface that was used to capture the packet
   that an Enhanced Packet Block contains or to which the statistics in
   an Interface Statistic Block refer).

   Within a section, there must be an Interface Description Block for
   each interface to which another block within that section refers.
   Blocks such as an Enhanced Packet Block or an Interface Statistics
   Block contain an Interface ID value referring to a particular
   interface, and a Simple Packet Block implicitly refers to an
   interface with an Interface ID of 0.  If the file does not contain
   any blocks that use an Interface ID, then the file does not need to
   have any IDBs.

   There is no requirement that all Interface Description Blocks occur
   within a section before all blocks of other types, as long as the
   Interface Description Block for an interface occurs before any block
   that refers to that interface.

   An Interface Description Block is valid only inside the section to
   which it belongs.  The structure of an Interface Description Block is
   shown in Figure 10.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                    Block Type = 0x00000001                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |           LinkType            |           Reserved            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                            SnapLen                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

               Figure 10: Interface Description Block Format

   The meaning of the fields is:



Tuexen, et al.           Expires 24 January 2024               [Page 19]

Internet-Draft                   pcapng                        July 2023


   *  Block Type: The block type of the Interface Description Block is
      1.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  LinkType (16 bits): an unsigned value that defines the link layer
      type of this interface.  The list of Standardized Link Layer Type
      codes is available in [I-D.richardson-opsawg-pcaplinktype].

   *  Reserved (16 bits): not used - MUST be filled with 0 by pcapng
      file writers, and MUST be ignored by pcapng file readers.

   *  SnapLen (32 bits): an unsigned value indicating the maximum number
      of octets captured from each packet.  The portion of each packet
      that exceeds this value will not be stored in the file.  A value
      of zero indicates no limit.

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.

   In addition to the options defined in Section 3.5, the following
   options are valid within this block:




























Tuexen, et al.           Expires 24 January 2024               [Page 20]

Internet-Draft                   pcapng                        July 2023


    +================+======+=====================+===================+
    | Name           | Type | Length              | Multiple allowed? |
    +================+======+=====================+===================+
    | if_name        | 2    | variable            | no                |
    +----------------+------+---------------------+-------------------+
    | if_description | 3    | variable            | no                |
    +----------------+------+---------------------+-------------------+
    | if_IPv4addr    | 4    | 8                   | yes               |
    +----------------+------+---------------------+-------------------+
    | if_IPv6addr    | 5    | 17                  | yes               |
    +----------------+------+---------------------+-------------------+
    | if_MACaddr     | 6    | 6                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_EUIaddr     | 7    | 8                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_speed       | 8    | 8                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_tsresol     | 9    | 1                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_tzone       | 10   | 4                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_filter      | 11   | variable, minimum 1 | no                |
    +----------------+------+---------------------+-------------------+
    | if_os          | 12   | variable            | no                |
    +----------------+------+---------------------+-------------------+
    | if_fcslen      | 13   | 1                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_tsoffset    | 14   | 8                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_hardware    | 15   | variable            | no                |
    +----------------+------+---------------------+-------------------+
    | if_txspeed     | 16   | 8                   | no                |
    +----------------+------+---------------------+-------------------+
    | if_rxspeed     | 17   | 8                   | no                |
    +----------------+------+---------------------+-------------------+

                Table 3: Interface Description Block Options

   if_name:
           The if_name option is a UTF-8 string containing the name of
           the device used to capture data.  The string is not zero-
           terminated.

   Examples: "eth0",
   "\Device\NPF_{AD1CE675-96D0-47C5-ADD0-2504B9126B68}".

   if_description:




Tuexen, et al.           Expires 24 January 2024               [Page 21]

Internet-Draft                   pcapng                        July 2023


           The if_description option is a UTF-8 string containing the
           description of the device used to capture data.  The string
           is not zero-terminated.

   Examples: "Wi-Fi", "Local Area Connection", "Wireless Network
   Connection", "First Ethernet Interface".

   if_IPv4addr:
           The if_IPv4addr option is an IPv4 network address and
           corresponding netmask for the interface.  The first four
           octets are the IP address, and the next four octets are the
           netmask.  This option can be repeated multiple times within
           the same Interface Description Block when multiple IPv4
           addresses are assigned to the interface.  Note that the IP
           address and netmask are both treated as four octets, one for
           each octet of the address or mask; they are not 32-bit
           numbers, and thus the endianness of the SHB does not affect
           this field's value.

   Examples: '192 168 1 1 255 255 255 0'.

   if_IPv6addr:
           The if_IPv6addr option is an IPv6 network address and
           corresponding prefix length for the interface.  The first 16
           octets are the IP address and the next octet is the prefix
           length.  This option can be repeated multiple times within
           the same Interface Description Block when multiple IPv6
           addresses are assigned to the interface.

   Example: 2001:0db8:85a3:08d3:1319:8a2e:0370:7344/64 is written (in
   hex) as '20 01 0d b8 85 a3 08 d3 13 19 8a 2e 03 70 73 44 40'.

   if_MACaddr:
           The if_MACaddr option is the Interface Hardware EUI-48 (MAC)
           address (48 bits), if available.

   Example: '00 01 02 03 04 05'.

   if_EUIaddr:
           The if_EUIaddr option is the Interface Hardware EUI-64
           address (64 bits), if available.

   Example: '02 34 56 FF FE 78 9A BC'.

   if_speed:
           The if_speed option is a 64-bit unsigned value indicating the
           interface speed, in bits per second.




Tuexen, et al.           Expires 24 January 2024               [Page 22]

Internet-Draft                   pcapng                        July 2023


   Example: the 64-bit decimal number 100000000 for 100Mbps.

   if_tsresol:
           The if_tsresol option identifies the resolution of
           timestamps.  If the Most Significant Bit is equal to zero,
           the remaining bits indicates the resolution of the timestamp
           as a negative power of 10 (e.g. 6 means microsecond
           resolution, timestamps are the number of microseconds since
           1970-01-01 00:00:00 UTC).  If the Most Significant Bit is
           equal to one, the remaining bits indicates the resolution as
           negative power of 2 (e.g. 10 means 1/1024 of second).  If
           this option is not present, a resolution of 10^-6 is assumed
           (i.e. timestamps have the same resolution of the standard
           'libpcap' timestamps).

   Example: '6'.

   if_tzone:
           The if_tzone option identifies the time zone for GMT support
           (TODO: specify better).

   Example: TODO: give a good example.

   if_filter:
           The if_filter option identifies the filter (e.g. "capture
           only TCP traffic") used to capture traffic.  The first octet
           of the Option Data keeps a code of the filter used (e.g. if
           this is a libpcap string, or BPF bytecode, and more).  More
           details about this format will be presented in Appendix XXX
           (TODO).  (TODO: better use different options for different
           fields? e.g. if_filter_pcap, if_filter_bpf, ...)

   Example: '00'"tcp port 23 and host 192.0.2.5".

   if_os: 
           The if_os option is a UTF-8 string containing the name of the
           operating system of the machine in which this interface is
           installed.  This can be different from the same information
           that can be contained by the Section Header Block
           (Section 4.1) because the capture can have been done on a
           remote machine.  The string is not zero-terminated.

   Examples: "Windows XP SP2", "openSUSE 10.2".

   if_fcslen:
           The if_fcslen option is an 8-bit unsigned integer value that
           specifies the length of the Frame Check Sequence (in bits)
           for this interface.  For link layers whose FCS length can



Tuexen, et al.           Expires 24 January 2024               [Page 23]

Internet-Draft                   pcapng                        July 2023


           change during time, the Enhanced Packet Block epb_flags
           Option can be used in each Enhanced Packet Block (see
           Section 4.3.1).

   Example: '4'.

   if_tsoffset:
           The if_tsoffset option is a 64-bit signed integer value that
           specifies an offset (in seconds) that must be added to the
           timestamp of each packet to obtain the absolute timestamp of
           a packet.  If the option is missing, the timestamps stored in
           the packet MUST be considered absolute timestamps.  The time
           zone of the offset can be specified with the option if_tzone.
           TODO: won't a if_tsoffset_low for fractional second offsets
           be useful for highly synchronized capture systems?

   Example: '1234'.

   if_hardware:
           The if_hardware option is a UTF-8 string containing the
           description of the interface hardware.  The string is not
           zero-terminated.

   Examples: "Broadcom NetXtreme", "Intel(R) PRO/1000 MT Network
   Connection", "NETGEAR WNA1000Mv2 N150 Wireless USB Micro Adapter".

   if_txspeed:
           The if_txrxspeeds option is a 64-bit unsigned value
           indicating the interface transmit speed in bits per second.

   Example: the 64-bit decimal number 1024000 for 1024Kbps.

   if_rxspeed:
           The if_rxspeed option is a 64-bit unsigned value indicating
           the interface receive speed, in bits per second.

   Example: the 64-bit decimal number 8192000 for 8192Kbps.

   If the interface transmit speed and receive speed are the same, the
   if_speed option MUST be used and the if_txspeed and if_rxspeed
   options MUST NOT be used.  If the transmit speed is unknown, the
   if_speed and if_txspeed options MUST NOT be used; if the receive
   speed is unknown, the if_speed and if_rxspeed options MUST NOT be
   used.







Tuexen, et al.           Expires 24 January 2024               [Page 24]

Internet-Draft                   pcapng                        July 2023


4.3.  Enhanced Packet Block

   An Enhanced Packet Block (EPB) is the standard container for storing
   the packets coming from the network.  The Enhanced Packet Block is
   optional because packets can be stored either by means of this block
   or the Simple Packet Block, which can be used to speed up capture
   file generation; or a file may have no packets in it.  The format of
   an Enhanced Packet Block is shown in Figure 11.

   The Enhanced Packet Block is an improvement over the original, now
   obsolete, Packet Block (Appendix A):

   *  it stores the Interface Identifier as a 32-bit integer value.
      This is a requirement when a capture stores packets coming from a
      large number of interfaces;

   *  unlike the Packet Block (Appendix A), the number of packets
      dropped by the capture system between this packet and the previous
      one is not stored in the header, but rather in an option of the
      block itself.































Tuexen, et al.           Expires 24 January 2024               [Page 25]

Internet-Draft                   pcapng                        July 2023


                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                    Block Type = 0x00000006                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                         Interface ID                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                        Timestamp (High)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 |                        Timestamp (Low)                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   20 |                    Captured Packet Length                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   24 |                    Original Packet Length                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   28 /                                                               /
      /                          Packet Data                          /
      /              variable length, padded to 32 bits               /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                  Figure 11: Enhanced Packet Block Format

   The Enhanced Packet Block has the following fields:

   *  Block Type: The block type of the Enhanced Packet Block is 6.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  Interface ID (32 bits): an unsigned value that specifies the
      interface on which this packet was received or transmitted; the
      correct interface will be the one whose Interface Description
      Block (within the current Section of the file) is identified by
      the same number (see Section 4.2) of this field.  The interface ID
      MUST be valid, which means that an matching interface description
      block MUST exist.






Tuexen, et al.           Expires 24 January 2024               [Page 26]

Internet-Draft                   pcapng                        July 2023


   *  Timestamp (High) and Timestamp (Low): upper 32 bits and lower 32
      bits of a 64-bit timestamp.  The timestamp is a single 64-bit
      unsigned integer that represents the number of units of time that
      have elapsed since 1970-01-01 00:00:00 UTC.  The length of a unit
      of time is specified by the 'if_tsresol' option (see Figure 10) of
      the Interface Description Block referenced by this packet.  Note
      that, unlike timestamps in the libpcap file format, timestamps in
      Enhanced Packet Blocks are not saved as two 32-bit values that
      represent the seconds and microseconds that have elapsed since
      1970-01-01 00:00:00 UTC.  Timestamps in Enhanced Packet Blocks are
      saved as two 32-bit words that represent the upper and lower 32
      bits of a single 64-bit quantity.

   *  Captured Packet Length (32 bits): an unsigned value that indicates
      the number of octets captured from the packet (i.e. the length of
      the Packet Data field).  It will be the minimum value among the
      Original Packet Length and the snapshot length for the interface
      (SnapLen, defined in Figure 10).  The value of this field does not
      include the padding octets added at the end of the Packet Data
      field to align the Packet Data field to a 32-bit boundary.

   *  Original Packet Length (32 bits): an unsigned value that indicates
      the actual length of the packet when it was transmitted on the
      network.  It can be different from the Captured Packet Length if
      the packet has been truncated by the capture process; it SHOULD
      NOT be less than the Captured Packet Length.

      A pcapng file writer MAY write an Original Packet Length that is
      less than the Captured Packet Length if both the Captured Packet
      Length and the Original Packet length came from a file in which a
      packet had an Original Packet Length less than the Captured Packet
      Length; otherwise, it MUST write an Original Packet Length that is
      greater than or equal to the Captured Packet Length.

      A pcapng file reader MAY convert an Original Packet Length that is
      less than the Captured Packet Length to a value that is greater
      than or equal to the Captured Packet Length.

   *  Packet Data: the data coming from the network, including link-
      layer headers.  The actual length of this field is Captured Packet
      Length plus the padding to a 32-bit boundary.  The format of the
      link-layer headers depends on the LinkType field specified in the
      Interface Description Block (see Section 4.2) and it is specified
      in the entry for that format in
      [I-D.richardson-opsawg-pcaplinktype].

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.



Tuexen, et al.           Expires 24 January 2024               [Page 27]

Internet-Draft                   pcapng                        July 2023


   In addition to the options defined in Section 3.5, the following
   options are valid within this block:

   +========================+======+========================+==========+
   | Name                   | Type | Length                 | Multiple |
   |                        |      |                        | allowed? |
   +========================+======+========================+==========+
   | epb_flags              | 2    | 4                      | no       |
   +------------------------+------+------------------------+----------+
   | epb_hash               | 3    | variable, minimum      | yes      |
   |                        |      | hash type-dependent    |          |
   +------------------------+------+------------------------+----------+
   | epb_dropcount          | 4    | 8                      | no       |
   +------------------------+------+------------------------+----------+
   | epb_packetid           | 5    | 8                      | no       |
   +------------------------+------+------------------------+----------+
   | epb_queue              | 6    | 4                      | no       |
   +------------------------+------+------------------------+----------+
   | epb_verdict            | 7    | variable, minimum      | yes      |
   |                        |      | verdict type-          |          |
   |                        |      | dependent              |          |
   +------------------------+------+------------------------+----------+
   | epb_processid_threadid | 8    | 8                      | no       |
   +------------------------+------+------------------------+----------+

                   Table 4: Enhanced Packet Block Options

   epb_flags:
           The epb_flags option is a 32-bit flags word containing link-
           layer information.  A complete specification of the allowed
           flags can be found in Section 4.3.1.

   Example: '0'.

   epb_hash:
















Tuexen, et al.           Expires 24 January 2024               [Page 28]

Internet-Draft                   pcapng                        July 2023


           The epb_hash option contains a hash of the packet.  The first
           octet specifies the hashing algorithm, while the following
           octets contain the actual hash, whose size depends on the
           hashing algorithm, and hence from the value in the first
           octet.  The hashing algorithm can be: 2s complement
           (algorithm octet = 0, size = XXX), XOR (algorithm octet = 1,
           size=XXX), CRC32 (algorithm octet = 2, size = 4), MD-5
           (algorithm octet = 3, size = 16), SHA-1 (algorithm octet = 4,
           size = 20), Toeplitz (algorithm octet = 5, size = 4).  The
           hash covers only the packet, not the header added by the
           capture driver: this gives the possibility to calculate it
           inside the network card.  The hash allows easier comparison/
           merging of different capture files, and reliable data
           transfer between the data acquisition system and the capture
           library.

   Examples: '02 EC 1D 87 97', '03 45 6E C2 17 7C 10 1E 3C 2E 99 6E C2
   9A 3D 50 8E'.

   epb_dropcount:
           The epb_dropcount option is a 64-bit unsigned integer value
           specifying the number of packets lost (by the interface and
           the operating system) between this packet and the preceding
           one for the same interface or, for the first packet for an
           interface, between this packet and the start of the capture
           process.

   Example: '0'.

   epb_packetid:
           The epb_packetid option is a 64-bit unsigned integer that
           uniquely identifies the packet.  If the same packet is seen
           by multiple interfaces and there is a way for the capture
           application to correlate them, the same epb_packetid value
           must be used.  An example could be a router that captures
           packets on all its interfaces in both directions.  When a
           packet hits interface A on ingress, an EPB entry gets
           created, TTL gets decremented, and right before it egresses
           on interface B another EPB entry gets created in the trace
           file.  In this case, two packets are in the capture file,
           which are not identical but the epb_packetid can be used to
           correlate them.

   Example: '0'.

   epb_queue:





Tuexen, et al.           Expires 24 January 2024               [Page 29]

Internet-Draft                   pcapng                        July 2023


           The epb_queue option is a 32-bit unsigned integer that
           identifies on which queue of the interface the specific
           packet was received.

   Example: '0'.

   epb_verdict:
           The epb_verdict option stores a verdict of the packet.  The
           verdict indicates what would be done with the packet after
           processing it.  For example, a firewall could drop the
           packet.  This verdict can be set by various components, i.e.
           Hardware, Linux's eBPF TC or XDP framework, etc. etc.  The
           first octet specifies the verdict type, while the following
           octets contain the actual verdict data, whose size depends on
           the verdict type, and hence from the value in the first
           octet.  The verdict type can be: Hardware (type octet = 0,
           size = variable), Linux_eBPF_TC (type octet = 1, size = 8
           (64-bit unsigned integer), value = TC_ACT_* as defined in the
           Linux pck_cls.h (https://git.kernel.org/pub/scm/linux/kernel/
           git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h)
           include), Linux_eBPF_XDP (type octet = 2, size = 8 (64-bit
           unsigned integer), value = xdp_action as defined in the Linux
           pbf.h (https://git.kernel.org/pub/scm/linux/kernel/git/torval
           ds/linux.git/tree/include/uapi/linux/bpf.h) include).

   Example: '02 00 00 00 00 00 00 00 02' for Linux_eBPF_XDP with verdict
   XDP_PASS.

   epb_processid_threadid:
           The epb_processid_threadid option stores the numeric process
           identifier and thread identifier of the process which
           originated the packet as unsigned 32-bit integers.  The value
           0 can be used for each if the concept of a process or thread
           identifier does not make sense in context (e.g. for inbound
           packets) or if the operating system capturing the packets has
           no concept of processes or threads, respectively.

   Example: '00 00 04 D2 00 00 00 00' for process 1234 and an unknown
   thread.

4.3.1.  Enhanced Packet Block Flags Word

   The Enhanced Packet Block Flags Word is a 32-bit value that contains
   link-layer information about the packet.







Tuexen, et al.           Expires 24 January 2024               [Page 30]

Internet-Draft                   pcapng                        July 2023


   The word is encoded as an unsigned 32-bit integer, using the
   endianness of the Section Header Block scope it is in.  In the
   following table, the bits are numbered with 0 being the least-
   significant bit and 31 being the most-significant bit of the 32-bit
   unsigned integer.  The meaning of the bits is the following:

     +========+======================================================+
     | Bit    | Description                                          |
     | Number |                                                      |
     +========+======================================================+
     | 0-1    | Inbound / Outbound packet (00 = information not      |
     |        | available, 01 = inbound, 10 = outbound)              |
     +--------+------------------------------------------------------+
     | 2-4    | Reception type (000 = not specified, 001 = unicast,  |
     |        | 010 = multicast, 011 = broadcast, 100 =              |
     |        | promiscuous).                                        |
     +--------+------------------------------------------------------+
     | 5-8    | FCS length, in octets (0000 if this information is   |
     |        | not available).  This value overrides the if_fcslen  |
     |        | option of the Interface Description Block, and is    |
     |        | used with those link layers (e.g.  PPP) where the    |
     |        | length of the FCS can change during time.            |
     +--------+------------------------------------------------------+
     | 9-15   | Reserved (MUST be set to zero).                      |
     +--------+------------------------------------------------------+
     | 16-31  | link-layer-dependent errors (Bit 31 = symbol error,  |
     |        | Bit 30 = preamble error, Bit 29 = Start Frame        |
     |        | Delimiter error, Bit 28 = unaligned frame error, Bit |
     |        | 27 = wrong Inter Frame Gap error, Bit 26 = packet    |
     |        | too short error, Bit 25 = packet too long error, Bit |
     |        | 24 = CRC error, other?? are 16 bit enough?).         |
     +--------+------------------------------------------------------+

                                  Table 5

   NOTE: in earlier versions of this specification, the bits were
   specified as being numbered with 0 being the most-significant bit and
   31 being the least-significant bit of the 32-bit unsigned integer,
   rather than with 0 being the least-significant bit and 31 being the
   most-significant bit.  Several implementations number the bits with 0
   being the least-significant bit, and no known implementations number
   them with 0 being the most-significant bit, so the specification was
   changed to reflect that reality.

4.4.  Simple Packet Block

   The Simple Packet Block (SPB) is a lightweight container for storing
   the packets coming from the network.  Its presence is optional.



Tuexen, et al.           Expires 24 January 2024               [Page 31]

Internet-Draft                   pcapng                        July 2023


   A Simple Packet Block is similar to an Enhanced Packet Block (see
   Section 4.3), but it is smaller, simpler to process and contains only
   a minimal set of information.  This block is preferred to the
   standard Enhanced Packet Block when performance or space occupation
   are critical factors, such as in sustained traffic capture
   applications.  A capture file can contain both Enhanced Packet Blocks
   and Simple Packet Blocks: for example, a capture tool could switch
   from Enhanced Packet Blocks to Simple Packet Blocks when the hardware
   resources become critical.

   The Simple Packet Block does not contain the Interface ID field.
   Therefore, it MUST be assumed that all the Simple Packet Blocks have
   been captured on the interface previously specified in the first
   Interface Description Block.

   Figure 12 shows the format of the Simple Packet Block.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                    Block Type = 0x00000003                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                    Original Packet Length                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 /                                                               /
      /                          Packet Data                          /
      /              variable length, padded to 32 bits               /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                   Figure 12: Simple Packet Block Format

   The Simple Packet Block has the following fields:

   *  Block Type: The block type of the Simple Packet Block is 3.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  Original Packet Length (32 bits): an unsigned value indicating the
      actual length of the packet when it was transmitted on the
      network.  It can be different from length of the Packet Data
      field's length if the packet has been truncated by the capture
      process, in which case the SnapLen value in Section 4.2 will be



Tuexen, et al.           Expires 24 January 2024               [Page 32]

Internet-Draft                   pcapng                        July 2023


      less than this Original Packet Length value, and the SnapLen value
      MUST be used to determine the size of the Packet Data field
      length.

   *  Packet Data: the data coming from the network, including link-
      layer headers.  The length of this field can be derived from the
      field Block Total Length, present in the Block Header, and it is
      the minimum value among the SnapLen (present in the Interface
      Description Block) and the Original Packet Length (present in this
      header).  The format of the data within this Packet Data field
      depends on the LinkType field specified in the Interface
      Description Block (see Section 4.2) and it is specified in the
      entry for that format in [I-D.richardson-opsawg-pcaplinktype].

   The Simple Packet Block does not contain the timestamp because this
   is often one of the most costly operations on PCs.  Additionally,
   there are applications that do not require it; e.g. an Intrusion
   Detection System is interested in packets, not in their timestamp.

   A Simple Packet Block cannot be present in a Section that has more
   than one interface because of the impossibility to refer to the
   correct one (it does not contain any Interface ID field).

   The Simple Packet Block is very efficient in term of disk space: a
   snapshot whose length is 100 octets requires only 16 octets of
   overhead, which corresponds to an efficiency of more than 86%.

4.5.  Name Resolution Block

   The Name Resolution Block (NRB) is used to support the correlation of
   numeric addresses (present in the captured packets) and their
   corresponding canonical names and it is optional.  Having the literal
   names saved in the file prevents the need for performing name
   resolution at a later time, when the association between names and
   addresses may be different from the one in use at capture time.
   Moreover, the NRB avoids the need for issuing a lot of DNS requests
   every time the trace capture is opened, and also provides name
   resolution when reading the capture with a machine not connected to
   the network.

   A Name Resolution Block is often placed at the beginning of the file,
   but no assumptions can be taken about its position.  Multiple NRBs
   can exist in a pcapng file, either due to memory constraints or
   because additional name resolutions were performed by file processing
   tools, like network analyzers.






Tuexen, et al.           Expires 24 January 2024               [Page 33]

Internet-Draft                   pcapng                        July 2023


   A Name Resolution Block need not contain any Records, except the
   nrb_record_end Record which MUST be the last Record.  The addresses
   and names in NRB Records MAY be repeated multiple times; i.e., the
   same IP address may resolve to multiple names, the same name may
   resolve to the multiple IP addresses, and even the same address-to-
   name pair may appear multiple times, in the same NRB or across NRBs.

   The format of the Name Resolution Block is shown in Figure 13.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                    Block Type = 0x00000004                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |      Record Type              |      Record Value Length      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 /                       Record Value                            /
      /              variable length, padded to 32 bits               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      .                                                               .
      .                  . . . other records . . .                    .
      .                                                               .
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Record Type = nrb_record_end |   Record Value Length = 0     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                  Figure 13: Name Resolution Block Format

   The Name Resolution Block has the following fields:

   *  Block Type: The block type of the Name Resolution Block is 4.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   This is followed by zero or more Name Resolution Records (in the TLV
   format), each of which contains an association between a network
   address and a name.  An nrb_record_end MUST be added after the last
   Record, and MUST exist even if there are no other Records in the NRB.
   There are currently three possible types of records:



Tuexen, et al.           Expires 24 January 2024               [Page 34]

Internet-Draft                   pcapng                        July 2023


                 +==================+========+==========+
                 | Name             | Type   | Length   |
                 +==================+========+==========+
                 | nrb_record_end   | 0x0000 | 0        |
                 +------------------+--------+----------+
                 | nrb_record_ipv4  | 0x0001 | variable |
                 +------------------+--------+----------+
                 | nrb_record_ipv6  | 0x0002 | variable |
                 +------------------+--------+----------+
                 | nrb_record_eui48 | 0x0003 | variable |
                 +------------------+--------+----------+
                 | nrb_record_eui64 | 0x0004 | variable |
                 +------------------+--------+----------+

                  Table 6: Name Resolution Block Records

   nrb_record_end:
           The nrb_record_end record delimits the end of name resolution
           records.  This record is needed to determine when the list of
           name resolution records has ended and some options (if any)
           begin.

   nrb_record_ipv4:
           The nrb_record_ipv4 record specifies an IPv4 address
           (contained in the first 4 octets), followed by one or more
           zero-terminated UTF-8 strings containing the DNS entries for
           that address.  The minimum valid Record Length for this
           Record Type is thus 6: 4 for the IP octets, 1 character, and
           a zero-value octet terminator.  Note that the IP address is
           treated as four octets, one for each octet of the IP address;
           it is not a 32-bit word, and thus the endianness of the SHB
           does not affect this field's value.

   Example: '127 0 0 1'"localhost".

   [Open issue: is an empty string (i.e., just a zero-value octet)
   valid?]

   nrb_record_ipv6:
           The nrb_record_ipv6 record specifies an IPv6 address
           (contained in the first 16 octets), followed by one or more
           zero-terminated strings containing the DNS entries for that
           address.  The minimum valid Record Length for this Record
           Type is thus 18: 16 for the IP octets, 1 character, and a
           zero-value octet terminator.

   Example: '20 01 0d b8 00 00 00 00 00 00 00 00 12 34 56 78'"somehost".




Tuexen, et al.           Expires 24 January 2024               [Page 35]

Internet-Draft                   pcapng                        July 2023


   [Open issue: is an empty string (i.e., just a zero-value octet)
   valid?]

   nrb_record_eui48 / nrb_record_eui64:
           The nrb_record_eui48 / nrb_record_eui64 records specify an
           EUI (or MAC) address (contained in the first 6 octets for
           eui48, 8 octets for eui64), followed by one or more zero-
           terminated strings containing names resolved for that
           address.  As above, the minimum valid Record Length is 8 for
           EUI-48 and 10 for EUI-64.  There is no presumption implied in
           how these names were acquired unless the DNS server options
           listed below are present in the NRB.

   Example: '02 ca ff ee f0 0d'"teapot under test".

   [Open issue: is an empty string (i.e., just a zero-value octet)
   valid?]

   Record Types other than those specified earlier MUST be ignored and
   skipped past.  More Record Types will likely be defined in the
   future, and MUST NOT break backwards compatibility.

   Each Record Value is aligned to and padded to a 32-bit boundary.  The
   corresponding Record Value Length reflects the actual length of the
   Record Value; it does not include the lengths of the Record Type
   field, the Record Value Length field, any padding for the Record
   Value, or anything after the Record Value.  For Record Types with
   name strings, the Record Length does include the zero-value octet
   terminating that string.  A Record Length of 0 is valid, unless
   indicated otherwise.

   After the list of Name Resolution Records, optionally, a list of
   options (formatted according to the rules defined in Section 3.5) can
   be present.

   In addition to the options defined in Section 3.5, the following
   options are valid within this block:














Tuexen, et al.           Expires 24 January 2024               [Page 36]

Internet-Draft                   pcapng                        July 2023


          +===============+======+==========+===================+
          | Name          | Type | Length   | Multiple allowed? |
          +===============+======+==========+===================+
          | ns_dnsname    | 2    | variable | no                |
          +---------------+------+----------+-------------------+
          | ns_dnsIP4addr | 3    | 4        | no                |
          +---------------+------+----------+-------------------+
          | ns_dnsIP6addr | 4    | 16       | no                |
          +---------------+------+----------+-------------------+

                   Table 7: Name Resolution Block Options

   ns_dnsname:
           The ns_dnsname option is a UTF-8 string containing the name
           of the machine (DNS server) used to perform the name
           resolution.  The string is not zero-terminated.

   Example: "our_nameserver".

   ns_dnsIP4addr:
           The ns_dnsIP4addr option specifies the IPv4 address of the
           DNS server.  Note that the IP address is treated as four
           octets, one for each octet of the IP address; it is not a
           32-bit word, and thus the endianness of the SHB does not
           affect this field's value.

   Example: '192 168 0 1'.

   ns_dnsIP6addr:
           The ns_dnsIP6addr option specifies the IPv6 address of the
           DNS server.

   Example: '20 01 0d b8 00 00 00 00 00 00 00 00 12 34 56 78'.

4.6.  Interface Statistics Block

   The Interface Statistics Block (ISB) contains the capture statistics
   for a given interface and it is optional.  The statistics are
   referred to the interface defined in the current Section identified
   by the Interface ID field.  An Interface Statistics Block is normally
   placed at the end of the file, but no assumptions can be taken about
   its position - it can even appear multiple times for the same
   interface.

   The format of the Interface Statistics Block is shown in Figure 14.






Tuexen, et al.           Expires 24 January 2024               [Page 37]

Internet-Draft                   pcapng                        July 2023


                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                   Block Type = 0x00000005                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                         Interface ID                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                        Timestamp (High)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 |                        Timestamp (Low)                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   20 /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 14: Interface Statistics Block Format

   The fields have the following meaning:

   *  Block Type: The block type of the Interface Statistics Block is 5.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  Interface ID: specifies the interface these statistics refers to;
      the correct interface will be the one whose Interface Description
      Block (within the current Section of the file) is identified by
      same number (see Section 4.2) of this field.

   *  Timestamp: time this statistics refers to.  The format of the
      timestamp is the same already defined in the Enhanced Packet Block
      (Section 4.3); the length of a unit of time is specified by the
      'if_tsresol' option (see Figure 10) of the Interface Description
      Block referenced by this packet.

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.

   All the statistic fields are defined as options in order to deal with
   systems that do not have a complete set of statistics.  Therefore, In
   addition to the options defined in Section 3.5, the following options
   are valid within this block:




Tuexen, et al.           Expires 24 January 2024               [Page 38]

Internet-Draft                   pcapng                        July 2023


         +==================+======+========+===================+
         | Name             | Type | Length | Multiple allowed? |
         +==================+======+========+===================+
         | isb_starttime    | 2    | 8      | no                |
         +------------------+------+--------+-------------------+
         | isb_endtime      | 3    | 8      | no                |
         +------------------+------+--------+-------------------+
         | isb_ifrecv       | 4    | 8      | no                |
         +------------------+------+--------+-------------------+
         | isb_ifdrop       | 5    | 8      | no                |
         +------------------+------+--------+-------------------+
         | isb_filteraccept | 6    | 8      | no                |
         +------------------+------+--------+-------------------+
         | isb_osdrop       | 7    | 8      | no                |
         +------------------+------+--------+-------------------+
         | isb_usrdeliv     | 8    | 8      | no                |
         +------------------+------+--------+-------------------+

               Table 8: Interface Statistics Block Options

   isb_starttime:
           The isb_starttime option specifies the time the capture
           started; time will be stored in two blocks of four octets
           each.  The format of the timestamp is the same as the one
           defined in the Enhanced Packet Block (Section 4.3); the
           length of a unit of time is specified by the 'if_tsresol'
           option (see Figure 10) of the Interface Description Block
           referenced by this packet.

   Example: '96 c3 04 00 73 89 6a 65', in Little Endian, decodes to
   2012-06-29 06:17:00.834163 UTC.

   isb_endtime:
           The isb_endtime option specifies the time the capture ended;
           time will be stored in two blocks of four octets each.  The
           format of the timestamp is the same as the one defined in the
           Enhanced Packet Block (Section 4.3); the length of a unit of
           time is specified by the 'if_tsresol' option (see Figure 10)
           of the Interface Description Block referenced by this packet.

   Example: '97 c3 04 00 aa 47 ca 64', in Little Endian, decodes to
   2012-06-29 07:28:25.298858 UTC.

   isb_ifrecv:
           The isb_ifrecv option specifies the 64-bit unsigned integer
           number of packets received from the physical interface
           starting from the beginning of the capture.




Tuexen, et al.           Expires 24 January 2024               [Page 39]

Internet-Draft                   pcapng                        July 2023


   Example: the decimal number 100.

   isb_ifdrop:
           The isb_ifdrop option specifies the 64-bit unsigned integer
           number of packets dropped by the interface due to lack of
           resources starting from the beginning of the capture.

   Example: '0'.

   isb_filteraccept:
           The isb_filteraccept option specifies the 64-bit unsigned
           integer number of packets accepted by filter starting from
           the beginning of the capture.

   Example: the decimal number 100.

   isb_osdrop:
           The isb_osdrop option specifies the 64-bit unsigned integer
           number of packets dropped by the operating system starting
           from the beginning of the capture.

   Example: '0'.

   isb_usrdeliv:
           The isb_usrdeliv option specifies the 64-bit unsigned integer
           number of packets delivered to the user starting from the
           beginning of the capture.  The value contained in this field
           can be different from the value 'isb_filteraccept -
           isb_osdrop' because some packets could still be in the OS
           buffers when the capture ended.

   Example: '0'.

   All the fields that refer to packet counters are 64-bit values,
   represented with the octet order of the current section.  Special
   care must be taken in accessing these fields: since all the blocks
   are aligned to a 32-bit boundary, such fields are not guaranteed to
   be aligned on a 64-bit boundary.

4.7.  Decryption Secrets Block

   A Decryption Secrets Block (DSB) stores (session) secrets that enable
   decryption of packets within the capture file.  The format of these
   secrets is defined by the Secrets Type.

   Multiple DSBs can exist in a pcapng file, but they SHOULD be written
   before packet blocks that require those secrets.  Tools MAY limit
   decryption to secrets that appear before packet blocks.



Tuexen, et al.           Expires 24 January 2024               [Page 40]

Internet-Draft                   pcapng                        July 2023


   The structure of a Decryption Secrets Block is shown in Figure 15.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                   Block Type = 0x0000000A                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                          Secrets Type                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                         Secrets Length                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 /                                                               /
      /                          Secrets Data                         /
      /              (variable length, padded to 32 bits)             /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                                                               /
      /                       Options (variable)                      /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                       Block Total Length                      /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                 Figure 15: Decryption Secrets Block Format

   The Decryption Secrets Block has the following fields.

   *  Block Type: The block type of the Decryption Secrets Block is 10.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  Secrets Type (32 bits): an unsigned integer identifier that
      describes the format of the following Secrets field.  Requests for
      new Secrets Type codes should be made by creating a pull request
      to update this document as described in Section 10.1.

   *  Secrets Length (32 bits): an unsigned integer that indicates the
      size of the following Secrets field, without any padding octets.

   *  Secrets Data: binary data containing secrets, padded to a 32 bit
      boundary.

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.  No DSB-specific
      options are currently defined.



Tuexen, et al.           Expires 24 January 2024               [Page 41]

Internet-Draft                   pcapng                        July 2023


   The following is a list of Secrets Types.

   0x544c534b:
           TLS Key Log. This format is described at NSS Key Log Format
           (https://developer.mozilla.org/en-
           US/docs/Mozilla/Projects/NSS/Key_Log_Format).  Every line
           MUST be properly terminated with either carriage return and
           linefeed ('\r\n') or linefeed ('\n').  Tools MUST be able to
           handle both line endings.

   0x57474b4c:
           WireGuard Key Log. Every line consists of the key type,
           equals sign ('='), and the base64-encoded 32-byte key with
           optional spaces before and in between.  The key type is one
           of LOCAL_STATIC_PRIVATE_KEY, REMOTE_STATIC_PUBLIC_KEY,
           LOCAL_EPHEMERAL_PRIVATE_KEY, or PRESHARED|_KEY.  This matches
           the output of extract-handshakes.sh
           (https://git.zx2c4.com/WireGuard/tree/contrib/examples/
           extract-handshakes/README), which is part of the WireGuard
           (https://www.wireguard.com/) project.  A PRESHARED_KEY line
           is linked to a session matched by a previous
           LOCAL_EPHEMERAL_PRIVATE_KEY line.  Every line MUST be
           properly terminated with either carriage return and linefeed
           ('\r\n') or linefeed ('\n').  Tools MUST be able to handle
           both line endings.

   Warning: LOCAL_STATIC_PRIVATE_KEY and potentially PRESHARED_KEY are
   long-term secrets, users SHOULD only store non-production keys, or
   ensure proper protection of the pcapng file.

   0x5a4e574b:
           ZigBee NWK Key and ZigBee PANID for that network.  Network
           Key as described in the ZigBee Specification
           (https://zigbeealliance.org/) 05-3473-21 (R21) section 4.2.2.
           The NWK Key is a 16 octet binary AES-128 key used to secure
           NWK Level frames within a single PAN.  The NWK key is
           immediately followed by the 2 octet (16 bit) network PANID in
           little endian format.  If and when the NWK Key changes a new
           DSB will contain the new NWK Key.

   0x5a415053:
           ZigBee APS Key. Application Support Link Key as described in
           the ZigBee Specification (https://zigbeealliance.org/)
           05-3473-21 (R21) section 4.4.  Each 16 octet binary AES-128
           key secures frames exchanged between a pair of network nodes.
           The APS Key is immediately followed by the 2 octet (16 bit)
           network PANID in little endian format.  The PANID is followed
           by the 2 octet (16 bit) short addresses, in little endian



Tuexen, et al.           Expires 24 January 2024               [Page 42]

Internet-Draft                   pcapng                        July 2023


           format, of the nodes to which the APS Key applies.  The
           numerically lower short address shall come first.  There is
           an APS Key DSB for each node pair for which the Link Key is
           known.  As new links are formed, new DSBs contain the new
           Keys.  If the APS Key changes for an existing link, it is
           contained in a new DSB with the new APS Key.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------------------------------------------------------+
    0 |                   Block Type = 0x0000000A                     |
      +---------------------------------------------------------------+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                  Secrets Type = 0x5a4e574b                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                         Secrets Length                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 |                            AES-128                            |
      |                            NKW Key                            |
      |                          (16 octets)                          |
      |                           (128 bits)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   32 |          PAN ID               |           padding (0)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   36 /                                                               /
      /                       Options (variable)                      /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                       Block Total Length                      /
      +---------------------------------------------------------------+

                   Figure 16: ZigBee NWK Key Data Format


















Tuexen, et al.           Expires 24 January 2024               [Page 43]

Internet-Draft                   pcapng                        July 2023


      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------------------------------------------------------+
    0 |                   Block Type = 0x0000000A                     |
      +---------------------------------------------------------------+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                  Secrets Type = 0x5a415053                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                         Secrets Length                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 |                            AES-128                            |
      |                            APS Key                            |
      |                          (16 octets)                          |
      |                           (128 bits)                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   32 |           PAN ID              |     Low Node Short Address    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   36 |    High Node Short Address    |         padding (0)           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   40 /                                                               /
      /                       Options (variable)                      /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                       Block Total Length                      /
      +---------------------------------------------------------------+

                   Figure 17: ZigBee APS Key Data Format

4.8.  Custom Block

   A Custom Block (CB) is the container for storing custom data that is
   not part of another block; for storing custom data as part of another
   block, see Section 3.5.1.  The Custom Block is optional, can be
   repeated any number of times, and can appear before or after any
   other block except the first Section Header Block which must come
   first in the file.  Different Custom Blocks, of different type codes
   and/or different Private Enterprise Numbers, may be used in the same
   pcapng file.  The format of a Custom Block is shown in Figure 18.












Tuexen, et al.           Expires 24 January 2024               [Page 44]

Internet-Draft                   pcapng                        July 2023


                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |             Block Type = 0x00000BAD or 0x40000BAD             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |                Private Enterprise Number (PEN)                |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 /                                                               /
      /                          Custom Data                          /
      /              variable length, padded to 32 bits               /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 18: Custom Block Format

   The Custom Block uses the type code 0x00000BAD (2989 in decimal) for
   a custom block that pcapng re-writers can copy into new files, and
   the type code 0x40000BAD (1073744813 in decimal) for one that should
   not be copied.  See Section 5.2 for details.

   The Custom Block has the following fields:

   *  Block Type: The block type of the Custom Block is 0x00000BAD or
      0x40000BAD, as described previously.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  Private Enterprise Number (32 bits): An IANA-assigned Private
      Enterprise Number identifying the organization which defined the
      Custom Block.  See Section 5.1 for details.  The PEN MUST be
      encoded using the same endianness as the Section Header Block it
      is within the scope of.

   *  Custom Data: the custom data, padded to a 32 bit boundary.

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.  Note that custom
      options for the Custom Block still use the custom option format
      and type code, as described in Section 3.5.1.



Tuexen, et al.           Expires 24 January 2024               [Page 45]

Internet-Draft                   pcapng                        July 2023


5.  Vendor-Specific Custom Extensions

   This section uses the term "vendor" to describe an organization which
   extends the pcapng file with custom, proprietary blocks or options.
   It should be noted, however, that the "vendor" is just an abstract
   entity that agrees on a custom extension format: for example it may
   be a manufacturer, industry association, an individual user, or
   collective group of users.

5.1.  Supported Use-Cases

   There are two different supported use-cases for vendor-specific
   custom extensions: local and portable.  Local use means the custom
   data is only expected to be usable on the same machine, and the same
   application, which encoded it into the file.  This limitation is due
   to the lack of a common registry for the local use number codes (the
   block or option type code numbers with the Most Significant Bit set).
   Since two different vendors may choose the same number, one vendor's
   application reading the other vendor's file would result in decoding
   failure.  Therefore, vendors SHOULD instead use the portable method,
   as described next.

   The portable use-case supports vendor-specific custom extensions in
   pcapng files which can be shared across systems, organizations, etc.
   To avoid number space collisions, an IANA-registered Private
   Enterprise Number (PEN) is encoded into the Custom Block or Custom
   Option, using the PEN that belongs to the vendor defining the
   extension.  Anyone can register a new PEN with IANA, for free, by
   filling out the online request form at http://pen.iana.org/pen/
   PenApplication.page (http://pen.iana.org/pen/PenApplication.page).

5.2.  Controlling Copy Behavior

   Both Custom Blocks and Custom Options support two different type
   codes to distinguish their "copy" behavior: a type code for when the
   block or option can be safely copied into a new pcapng file by a
   pcapng manipulating application, and a type code for when it should
   not be copied.  A common reason for not copying a Custom Block or
   Custom Option is because it depends on other blocks or options in
   some way that would invalidate the custom data if the other blocks/
   options were removed or re-ordered.  For example, if a Custom Block's
   data includes an Interface ID number in its Custom Data portion, then
   it cannot be safely copied by a pcapng application that merges pcapng
   files, because the merging application might re-order or remove one
   or more of the Interface Description Blocks, and thereby change the
   Interface IDs that the Custom Block depends upon.  The same issue
   arises if a Custom Block or Custom Option depends on the presence of,
   or specific ordering of, other standard-based or custom-defined



Tuexen, et al.           Expires 24 January 2024               [Page 46]

Internet-Draft                   pcapng                        July 2023


   blocks or options.

   Note that the copy semantics is not related to privacy - there is no
   guarantee that a pcapng anonymizer will remove a Custom Block or
   Custom Option, even if the appropriate type code is used requesting
   it not be copied; and the original pcapng file can be shared anyway.
   If the Custom Data portion of the Custom Block or Custom Option
   contains sensitive information, then it should be encrypted in some
   fashion.

5.3.  Strings vs. Octets

   For the Custom Options, there are two Custom Data formats supported:
   a UTF-8 string and a binary data payload.  The rationale for this
   separation is that a pcapng display application which does not
   understand the specific PEN's Custom Option can still display the
   data as a string if it's a string type code, rather than as hex-ascii
   of the octets.

5.4.  Endianness Issues

   Implementers writing Custom Blocks or binary data Custom Options
   should be aware that a pcapng file can be re-written by machines
   using a different endianness than the original file, which means all
   known fields of the pcapng file will change endianness in the new
   file.  Since the Custom Data payload of the Custom Block or the
   binary data Custom Option might be an arbitrary sequence of unknown
   octets to such machines, they cannot convert multi-octet values
   inside the Custom Data, or in the Options section of a Custom
   Block,into the appropriate endianness.

   For example, a little-endian machine can create a new pcapng file and
   add some binary data Custom Options to some non-Custom Block(s) in
   the file.  This file can then be sent to a big-endian host, which
   will convert the Option Type, Option Length, and PEN fields of the
   options to big-endian format if it re-writes the file.  However, if
   the software reading the file does not understand the contents of all
   of the Custom Options, it will leave the Custom Data payload of the
   options alone (as little-endian format).  If this file then gets sent
   to a little-endian machine, then, when that little-endian machine
   reads the file, it will, if the software reading the file understands
   the contents of all the Custom Options, it will detect that the file
   format is big-endian, and swap the endianness while it parses the
   file - but that will cause the Custom Data payload to be incorrect
   since it was already in little-endian format.






Tuexen, et al.           Expires 24 January 2024               [Page 47]

Internet-Draft                   pcapng                        July 2023


   In addition, a little-endian machine can create a pcapng file and
   write some binary data Custom Blocks, containing options, to the
   file.  The file can then be sent to a big-endian host, which, if the
   software reading the file does not understand the contents of the
   Custom Blocks, will leave the Custom Data and Options alone (as
   little-endian format).  If this file then gets sent to a little-
   endian machine, then, when that little-endian machine reads the file,
   it will, if the software reading the file understands the contents of
   all the Custom Blocks, it will detect that the file format is big-
   endian, and swap the endianness while it parses the file - but that
   will cause the Custom Data payload, the Option Type and Option Length
   values in the Options, and the PEN in any Custom Options to be
   incorrect since they were already in little-endian format.

   Therefore, the vendor should either encode the Custom Data of their
   Custom Blocks and Custom Options, the Option Type and Option Length
   fields of options in Custom Blocks, and the PEN field of Custom
   Options in Custom Blocks in a consistent manner, such as always in
   big-endian or always in little-endian format, regardless of the host
   platform's endianness, or should encode some flag in the Custom Data
   payload to indicate in which endianness the rest of the payload is
   written.

   The PEN field of a Custom Block, or of a Custom Option not contained
   in a Custom Block, MUST be converted by code that reads pcapng files,
   so this is not an issue for that field, except for Custom Options in
   Custom Blocks.  This is also not an issue for the Custom Data payload
   of UTF-8 string Custom Options.

6.  Recommended File Name Extension: .pcapng

   The recommended file name extension for the "PCAP Next Generation
   Capture File Format" specified in this document is ".pcapng".

   On Windows and macOS, files are distinguished by an extension to
   their filename.  Such an extension is technically not actually
   required, as applications should be able to automatically detect the
   pcapng file format through the "magic bytes" at the beginning of the
   file, as some other UN*X desktop environments do.  However, using
   name extensions makes it easier to work with files (e.g. visually
   distinguish file formats) so it is recommended - though not required
   - to use .pcapng as the name extension for files following this
   specification.

   Please note: To avoid confusion (such as the current usage of .cap
   for a plethora of different capture file formats) file name
   extensions other than .pcapng should be avoided.




Tuexen, et al.           Expires 24 January 2024               [Page 48]

Internet-Draft                   pcapng                        July 2023


7.  Conclusions

   The file format proposed in this document should be very versatile
   and satisfy a wide range of applications.  In the simplest case, it
   can contain a raw capture of the network data, made of a series of
   Simple Packet Blocks.  In the most complex case, it can be used as a
   repository for heterogeneous information.  In every case, the file
   remains easy to parse and an application can always skip the data it
   is not interested in; at the same time, different applications can
   share the file, and each of them can benefit of the information
   produced by the others.  Two or more files can be concatenated
   obtaining another valid file.

8.  Implementations

   Some known implementations that read or write the pcapng file format
   are listed on the pcapng GitHub wiki (https://github.com/IETF-OPSAWG-
   WG/pcapng/wiki/Implementations).

9.  Security Considerations

   TBD.

10.  IANA Considerations

   TBD.

   [Open issue: decide whether the block types, option types, NRB Record
   types, etc. should be IANA registries.  And if so, what the IANA
   policy for each should be (see RFC 5226)]

10.1.  Standardized Block Type Codes

   Every Block is uniquely identified by a 32-bit integer value, stored
   in the Block Header.

   As pointed out in Section 3.1, Block Type codes whose Most
   Significant Bit (bit 31) is set to 1 are reserved for local use by
   the application.

   All the remaining Block Type codes (0x00000000 to 0x7FFFFFFF) are
   standardized by this document.  Requests for new Block Type codes,
   Option Type codes, and Secrets Type codes should be made by creating
   a pull request to update this document at github.com/IETF-OPSAWG-WG/
   pcapng (https://github.com/IETF-OPSAWG-WG/pcapng).  The pull request
   should add a description of the new block, option, or secret type to
   Section 4.  The pull request description should contain a clear
   request for a new type code assignment.



Tuexen, et al.           Expires 24 January 2024               [Page 49]

Internet-Draft                   pcapng                        July 2023


   The following is a list of the Standardized Block Type Codes:

    +=====================+===========================================+
    |Block Type Code      |Description                                |
    +=====================+===========================================+
    |0x00000000           |Reserved ???                               |
    +---------------------+-------------------------------------------+
    |0x00000001           |Interface Description Block (Section 4.2)  |
    +---------------------+-------------------------------------------+
    |0x00000002           |Packet Block (Appendix A)                  |
    +---------------------+-------------------------------------------+
    |0x00000003           |Simple Packet Block (Section 4.4)          |
    +---------------------+-------------------------------------------+
    |0x00000004           |Name Resolution Block (Section 4.5)        |
    +---------------------+-------------------------------------------+
    |0x00000005           |Interface Statistics Block (Section 4.6)   |
    +---------------------+-------------------------------------------+
    |0x00000006           |Enhanced Packet Block (Section 4.3)        |
    +---------------------+-------------------------------------------+
    |0x00000007           |IRIG Timestamp Block (requested by Gianluca|
    |                     |Varenni <gianluca.varenni@cacetech.com>,   |
    |                     |CACE Technologies LLC); code also used for |
    |                     |Socket Aggregation Event Block             |
    |                     |(https://github.com/google/linux-          |
    |                     |sensor/blob/master/hone-pcapng.txt)        |
    +---------------------+-------------------------------------------+
    |0x00000008           |ARINC 429 (https://en.wikipedia.org/wiki/  |
    |                     |ARINC_429) in AFDX Encapsulation           |
    |                     |Information Block (requested by Gianluca   |
    |                     |Varenni <gianluca.varenni@cacetech.com>,   |
    |                     |CACE Technologies LLC)                     |
    +---------------------+-------------------------------------------+
    |0x00000009           |[systemd Journal Export                    |
    |                     |Block][I-D.richardson-opsawg-pcapng-extras]|
    +---------------------+-------------------------------------------+
    |0x0000000A           |Decryption Secrets Block (Section 4.7)     |
    +---------------------+-------------------------------------------+
    |0x00000101           |Hone Project (https://github.com/          |
    |                     |HoneProject) Machine Info Block            |
    |                     |(https://github.com/HoneProject/Linux-     |
    |                     |Sensor/wiki/Augmented-PCAP-Next-Generation-|
    |                     |Dump-File-Format) (see also Google version |
    |                     |(https://github.com/google/linux-          |
    |                     |sensor/blob/master/hone-pcapng.txt))       |
    +---------------------+-------------------------------------------+
    |0x00000102           |Hone Project (https://github.com/          |
    |                     |HoneProject) Connection Event Block        |
    |                     |(https://github.com/HoneProject/Linux-     |



Tuexen, et al.           Expires 24 January 2024               [Page 50]

Internet-Draft                   pcapng                        July 2023


    |                     |Sensor/wiki/Augmented-PCAP-Next-Generation-|
    |                     |Dump-File-Format) (see also Google version |
    |                     |(https://github.com/google/linux-          |
    |                     |sensor/blob/master/hone-pcapng.txt))       |
    +---------------------+-------------------------------------------+
    |0x00000201           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Machine Info Block                         |
    +---------------------+-------------------------------------------+
    |0x00000202           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 1              |
    +---------------------+-------------------------------------------+
    |0x00000203           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |FD List Block                              |
    +---------------------+-------------------------------------------+
    |0x00000204           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Event Block                                |
    +---------------------+-------------------------------------------+
    |0x00000205           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Interface List Block                       |
    +---------------------+-------------------------------------------+
    |0x00000206           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |User List Block                            |
    +---------------------+-------------------------------------------+
    |0x00000207           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 2              |
    +---------------------+-------------------------------------------+
    |0x00000208           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Event Block with flags                     |
    +---------------------+-------------------------------------------+
    |0x00000209           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 3              |
    +---------------------+-------------------------------------------+
    |0x00000210           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 4              |
    +---------------------+-------------------------------------------+
    |0x00000211           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 5              |
    +---------------------+-------------------------------------------+
    |0x00000212           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 6              |
    +---------------------+-------------------------------------------+
    |0x00000213           |Sysdig (https://github.com/draios/sysdig)  |
    |                     |Process Info Block, version 7              |
    +---------------------+-------------------------------------------+
    |0x00000BAD           |Custom Block that rewriters can copy into  |
    |                     |new files (Section 4.8)                    |
    +---------------------+-------------------------------------------+
    |0x40000BAD           |Custom Block that rewriters should not copy|



Tuexen, et al.           Expires 24 January 2024               [Page 51]

Internet-Draft                   pcapng                        July 2023


    |                     |into new files (Section 4.8)               |
    +---------------------+-------------------------------------------+
    |0x0A0D0D0A           |Section Header Block (Section 4.1)         |
    +---------------------+-------------------------------------------+
    |0x0A0D0A00-0x0A0D0AFF|Reserved.  Used to detect trace files      |
    |                     |corrupted because of file transfers using  |
    |                     |the HTTP protocol in text mode.            |
    +---------------------+-------------------------------------------+
    |0x000A0D0A-0xFF0A0D0A|Reserved.  Used to detect trace files      |
    |                     |corrupted because of file transfers using  |
    |                     |the HTTP protocol in text mode.            |
    +---------------------+-------------------------------------------+
    |0x000A0D0D-0xFF0A0D0D|Reserved.  Used to detect trace files      |
    |                     |corrupted because of file transfers using  |
    |                     |the HTTP protocol in text mode.            |
    +---------------------+-------------------------------------------+
    |0x0D0D0A00-0x0D0D0AFF|Reserved.  Used to detect trace files      |
    |                     |corrupted because of file transfers using  |
    |                     |the FTP protocol in text mode.             |
    +---------------------+-------------------------------------------+
    |0x80000000-0xFFFFFFFF|Reserved for local use.                    |
    +---------------------+-------------------------------------------+

                   Table 9: Standardized Block Type Codes

   [Open issue: reserve 0x40000000-0x7FFFFFFF for do-not-copy-bit range
   of base types?]

11.  Contributors

   Loris Degioanni and Gianluca Varenni were coauthoring this document
   before it was submitted to the IETF.

12.  Acknowledgments

   The authors wish to thank Anders Broman, Ulf Lamping, Richard Sharpe
   and many others for their invaluable comments.

13.  References

13.1.  Normative References

   [I-D.richardson-opsawg-pcaplinktype]
              Harris, G. and M. Richardson, "PCAP and PCAPNG LINKTYPE
              Registry", Work in Progress, Internet-Draft, draft-
              richardson-opsawg-pcaplinktype-01, 6 November 2022,
              <https://datatracker.ietf.org/doc/html/draft-richardson-
              opsawg-pcaplinktype-01>.



Tuexen, et al.           Expires 24 January 2024               [Page 52]

Internet-Draft                   pcapng                        July 2023


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

13.2.  Informative References

   [I-D.richardson-opsawg-pcapng-extras]
              Tüxen, M., Risso, F., Bongertz, J., Combs, G., Harris, G.,
              Chaudron, E., and M. Richardson, "Additional block types
              for PCAP Next Generation (pcapng) Capture File Format",
              Work in Progress, Internet-Draft, draft-richardson-opsawg-
              pcapng-extras-01, 29 July 2022,
              <https://datatracker.ietf.org/doc/html/draft-richardson-
              opsawg-pcapng-extras-01>.

Appendix A.  Packet Block (obsolete!)

   The Packet Block is obsolete, and MUST NOT be used in new files.  Use
   the Enhanced Packet Block or Simple Packet Block instead.  This
   section is for historical reference only.

   A Packet Block was a container for storing packets coming from the
   network.























Tuexen, et al.           Expires 24 January 2024               [Page 53]

Internet-Draft                   pcapng                        July 2023


                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    0 |                    Block Type = 0x00000002                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    4 |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    8 |         Interface ID          |          Drops Count          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   12 |                        Timestamp (High)                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   16 |                        Timestamp (Low)                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   20 |                    Captured Packet Length                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   24 |                    Original Packet Length                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   28 /                                                               /
      /                          Packet Data                          /
      /              variable length, padded to 32 bits               /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                                                               /
      /                      Options (variable)                       /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Block Total Length                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 19: Packet Block Format

   The Packet Block has the following fields:

   *  Block Type: The block type of the Packet Block is 2.

   *  Block Total Length: total size of this block, as described in
      Section 3.1.

   *  Interface ID: specifies the interface this packet comes from; the
      correct interface will be the one whose Interface Description
      Block (within the current Section of the file) is identified by
      the same number (see Section 4.2) of this field.  The interface ID
      MUST be valid, which means that an matching interface description
      block MUST exist.







Tuexen, et al.           Expires 24 January 2024               [Page 54]

Internet-Draft                   pcapng                        July 2023


   *  Drops Count: a local drop counter.  It specifies the number of
      packets lost (by the interface and the operating system) between
      this packet and the preceding one.  The value xFFFF (in
      hexadecimal) is reserved for those systems in which this
      information is not available.

   *  Timestamp (High) and Timestamp (Low): timestamp of the packet.
      The format of the timestamp is the same as was already defined for
      the Enhanced Packet Block (Section 4.3).

   *  Captured Packet Length: number of octets captured from the packet
      (i.e. the length of the Packet Data field).  It will be the
      minimum value among the Original Packet Length and the snapshot
      length for the interface (SnapLen, defined in Figure 10).  The
      value of this field does not include the padding octets added at
      the end of the Packet Data field to align the Packet Data field to
      a 32-bit boundary.

   *  Original Packet Length: actual length of the packet when it was
      transmitted on the network.  It can be different from Captured
      Packet Length if the packet has been truncated by the capture
      process.

   *  Packet Data: the data coming from the network, including link-
      layer headers.  The actual length of this field is Captured Packet
      Length plus the padding to a 32-bit boundary.  The format of the
      link-layer headers depends on the LinkType field specified in the
      Interface Description Block (see Section 4.2) and it is specified
      in the entry for that format in
      [I-D.richardson-opsawg-pcaplinktype].

   *  Options: optionally, a list of options (formatted according to the
      rules defined in Section 3.5) can be present.

   In addition to the options defined in Section 3.5, the following
   options were valid within this block:

           +============+======+==========+===================+
           | Name       | Type | Length   | Multiple allowed? |
           +============+======+==========+===================+
           | pack_flags | 2    | 4        | no                |
           +------------+------+----------+-------------------+
           | pack_hash  | 3    | variable | yes               |
           +------------+------+----------+-------------------+

                      Table 10: Packet Block Options

   pack_flags:



Tuexen, et al.           Expires 24 January 2024               [Page 55]

Internet-Draft                   pcapng                        July 2023


           The pack_flags option is the same as the epb_flags of the
           enhanced packet block.

   Example: '0'.

   pack_hash:
           The pack_hash option is the same as the epb_hash of the
           enhanced packet block.

   Examples: '02 EC 1D 87 97', '03 45 6E C2 17 7C 10 1E 3C 2E 99 6E C2
   9A 3D 50 8E'.

Authors' Addresses

   Michael Tuexen (editor)
   Muenster University of Applied Sciences
   Stegerwaldstrasse 39
   48565 Steinfurt
   Germany
   Email: tuexen@fh-muenster.de


   Fulvio Risso
   Politecnico di Torino
   Corso Duca degli Abruzzi, 24
   10129 Torino
   Italy
   Email: fulvio.risso@polito.it


   Jasper Bongertz
   Airbus Defence and Space CyberSecurity
   Kanzlei 63c
   40667 Meerbusch
   Germany
   Email: jasper@packet-foo.com


   Gerald Combs
   Wireshark Foundation
   339 Madson Pl
   Davis, CA 95618
   United States of America
   Email: gerald@wireshark.org


   Guy Harris
   Email: gharris@sonic.net



Tuexen, et al.           Expires 24 January 2024               [Page 56]

Internet-Draft                   pcapng                        July 2023


   Eelco Chaudron
   Red Hat
   De Entree 238
   1101 EE Amsterdam
   Netherlands
   Email: eelco@redhat.com


   Michael C. Richardson
   Sandelman Software Works
   Email: mcr+ietf@sandelman.ca
   URI:   http://www.sandelman.ca/







































Tuexen, et al.           Expires 24 January 2024               [Page 57]