Can you change the capture format to support the diagnostic process?


Would it be feasible to have options to:

  1. Add HOSTS file information that will travel with the PCAP file as it is sent to vendors, etc.
  2. Or, an option to save the file with the current HOSTS file information
  3. Add Summary information on the problem.
  4. Obfuscate IP addresses for confidentiality reasons (modify HOSTS IP information (#1) accordingly)
  5. Add a user initiated record to mark events in a trace with timestamps and user comment
  6. Add a network trace analyst record to enable permanent highlighting of trace areas with comments

That's what pcap-ng envisions to provide. Wireshark only supports a limited subset of its features.

Item 4 isn't a capture format issue - you'd want to obfuscate the actual raw packet data, regardless of the capture format. If Wireshark supported putting address-mapping information in pcap-ng captures, you'd also want to either map the obfuscated addresses to the real names or remove the address-mapping information.

(15 Sep '10, 17:02) Guy Harris ♦♦


Gary - you can check out pcap-ng information at

I think you have a great list going!

