 | 1 | initial version |
The log file has timestamps. So these could be used to interleave the information fairly properly.
Intereaving has to be done in a file, which requires a file format that supports text logs.
I could also pipe the text log to a converter that would take the incoming text lines and convert them to a pcap file.
pcap format is a format in which all records are packet records, with the packets all having a particular link-layer header type. In order to put textual message sin a pcap file, you would have to "fake it" by, for example, using a currently-unused Ethernet type to mean "this isn't a packet, it's a log message", add a dissector for that Ethernet type, and hope that all your captures will have link-layer headers that include an Ethernet type.
pcapng format, however, is more flexible; for example, a Text Log Message Block could be added, with a time stamp, options, and a body that just contains UTF-8 text. Either the time stamp would have to have a resolution hardwired for all such blocks or there would have to be blocks indicating message sources. similar to Interface Description Blocks. I'd be inclined to vote for the latter.
Proposals for new block types are probably best done as pull requests for the pcapng specification repository.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
