pcapng format

[patrickpreuss]

would it be possible to use pacpng?

why
only one file regardless the amount of interfaces ?

might also be possible to merge with:
5#diagnose debug flow filter addr x.x.x.x
6#diagnose debug flow show console enable
7#diagnose debug flow show function-name enable
8#diagnose debug console timestamp enable
9#diagnose debug flow trace start 999
10#diagnose debug enable

[DirkDuesentrieb]

I try to sort your points:

• pcapng is more complex to implement; What will be the advantage to the user?
• the tool will create multiple files if needed! See The Verbosity Level. You will get on file per interface.
• flow debugging is a different method to troubleshoot flows, more to see if an ACL or NAT is working. My tool helps to look into packets traversing the FW, eg to identify retransmissions or see who resets a connection. Or maybe I just dont get your point. What is your idea "to merge" here?

[patrickpreuss]

Hi Dirk

• pcapng

yes it is more complex; but it support more things like multiple interfaces per capture file,
we have a more complex setup per box, vdoms for FW, VPN, IPS or different vdoms for server zones

• flow debugging as far as a under stand specs for pcapng, you can annotate a packet, with additional information

so if we can have multiple interfaces in the capture file we can match sessions across vdoms and save the nat and other information relating the session inside the capture, might be also a valid to have matching policy attached to the capture.

so it might be possible to have all needed information within "one" source and it might be possible to have those information displayed and analysed within wireshark.

Might be helpful to analyse NAT / SIP problems and a like within wireshark.