Re: Byte ordering for dissectors

[Guy Harris <guy () alum mit edu>]

On Jan 10, 2014, at 4:33 AM, Michal Labedzki <michal.labedzki () tieto com> wrote:

> Is there option to dissector know byte order of... "interface"?

No.

For live capture on a local interface, the byte order is the machine's byte order.

For reading pcap and pcap-ng files, the byte order in the file is changed to the byte order of the machine in the 
pcap_read_post_process() routine in wiretap/pcap-common.c before the packet is handed to the caller of libwiretap.

So, in the dissector, the data is in the machine's byte order.

This is also done in libpcap in pcap_next_packet() and pcap_ng_next_packet() (which should be done with common code).

Doing it this way also allows programs that read and write capture files, running on a machine with a byte order that's 
the opposite of the byte order of the machine that wrote the file being read, to write out a file where the byte order 
in the file (for pcap) or file section (for pcap-ng) matches the byte order of the packet data (otherwise, they can get 
out of sync, which would cause the program that reads the output file to misdissect it).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe