Wireshark mailing list archives

Re: Byte ordering for dissectors

From: Evan Huus <eapache () gmail com>
Date: Fri, 10 Jan 2014 14:26:02 -0500

On Fri, Jan 10, 2014 at 2:21 PM, Jakub Zawadzki
<darkjames-ws () darkjames pl> wrote:

Hi,

On Fri, Jan 10, 2014 at 01:33:49PM +0100, Michal Labedzki wrote:

Probably PCAP/PCAPNG have ordering info by magic bytes, but I do not
know how to do that while live capturing (current code work for this
case)


Still magic numbers are always saved in current host endianess ;|

So if you (re)save capture file in wireshark (e.g. after adding comment),
it'll be no longer properly dissected.


Perhaps we should add an option to Pcapng to store
original-host-endianess as well, ie something that persists in this
case?

Possible solutions:
1. Wireshark already support byte-ordering information for dissectors
(anyone seen, anyone knows?)


In packet-nflog.c I'm trying to guess endianess (nflog_tvb_byte_order())


You probably can do the same, looking at dissect_linux_usb_pseudo_header()

I'm guessing that:
 - usb_urb_ts_sec - I think you can assume that all time are smaller than 0xFFFFFFFF,
                    which for valid captures will be correct to about: 'Sun Feb  7 07:28:15 CET 2106',

 - usb_urb_ts_usec must be < 1000000 (false detection only for 256 values),

 - usb_status must be 0 or have high bit set (false detection only for -EPERM),

 - usb_urb_len, usb_urb_data_len - must be some sane values (?).

Hope that helps,
Kuba.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Byte ordering for dissectors Michal Labedzki (Jan 10)
- Re: Byte ordering for dissectors Evan Huus (Jan 10)
  - Re: Byte ordering for dissectors Evan Huus (Jan 10)
- Re: Byte ordering for dissectors Jakub Zawadzki (Jan 10)
  - Re: Byte ordering for dissectors Evan Huus (Jan 10)
    - Re: Byte ordering for dissectors Guy Harris (Jan 10)
  - Re: Byte ordering for dissectors Guy Harris (Jan 10)
- Re: Byte ordering for dissectors Guy Harris (Jan 10)