Re: Byte ordering for dissectors

[Jakub Zawadzki <darkjames-ws () darkjames pl>]

Hi,

On Fri, Jan 10, 2014 at 01:33:49PM +0100, Michal Labedzki wrote:
> Probably PCAP/PCAPNG have ordering info by magic bytes, but I do not
> know how to do that while live capturing (current code work for this
> case)

Still magic numbers are always saved in current host endianess ;|

So if you (re)save capture file in wireshark (e.g. after adding comment),
it'll be no longer properly dissected.

> Possible solutions:
> 1. Wireshark already support byte-ordering information for dissectors
> (anyone seen, anyone knows?)

In packet-nflog.c I'm trying to guess endianess (nflog_tvb_byte_order())


You probably can do the same, looking at dissect_linux_usb_pseudo_header() 

I'm guessing that:
 - usb_urb_ts_sec - I think you can assume that all time are smaller than 0xFFFFFFFF,
                    which for valid captures will be correct to about: 'Sun Feb  7 07:28:15 CET 2106',

 - usb_urb_ts_usec must be < 1000000 (false detection only for 256 values),

 - usb_status must be 0 or have high bit set (false detection only for -EPERM),

 - usb_urb_len, usb_urb_data_len - must be some sane values (?).
 
Hope that helps,
Kuba.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe