Implement PCAPdroid trailer equivalent in pcapng
emanuele-f opened this issue · 0 comments
emanuele-f commented
Currently the PCAPdroid trailer is not supported with the pcapng dump format.
Contrary to PCAP, the pcapng format is extensible so it's not needed to add fake ethernet header and trailer to it. Instead, it's possible to define some custom blocks.
One block type, for example, could contain the uid -> package_name mappings, which would save a lot of space in the capture (currently the package name takes 20 bytes per packet). Another block could then specify just the UID for a given connection (just 4 bytes).