Wireshark-dev: Re: [Wireshark-dev] Byte ordering for dissectors
From: Evan Huus <eapache@xxxxxxxxx>
Date: Fri, 10 Jan 2014 14:26:02 -0500
On Fri, Jan 10, 2014 at 2:21 PM, Jakub Zawadzki
<darkjames-ws@xxxxxxxxxxxx> wrote:
> Hi,
>
> On Fri, Jan 10, 2014 at 01:33:49PM +0100, Michal Labedzki wrote:
>> Probably PCAP/PCAPNG have ordering info by magic bytes, but I do not
>> know how to do that while live capturing (current code work for this
>> case)
>
> Still magic numbers are always saved in current host endianess ;|
>
> So if you (re)save capture file in wireshark (e.g. after adding comment),
> it'll be no longer properly dissected.

Perhaps we should add an option to Pcapng to store
original-host-endianess as well, ie something that persists in this
case?

>> Possible solutions:
>> 1. Wireshark already support byte-ordering information for dissectors
>> (anyone seen, anyone knows?)
>
> In packet-nflog.c I'm trying to guess endianess (nflog_tvb_byte_order())
>
>
> You probably can do the same, looking at dissect_linux_usb_pseudo_header()
>
> I'm guessing that:
>  - usb_urb_ts_sec - I think you can assume that all time are smaller than 0xFFFFFFFF,
>                     which for valid captures will be correct to about: 'Sun Feb  7 07:28:15 CET 2106',
>
>  - usb_urb_ts_usec must be < 1000000 (false detection only for 256 values),
>
>  - usb_status must be 0 or have high bit set (false detection only for -EPERM),
>
>  - usb_urb_len, usb_urb_data_len - must be some sane values (?).
>
> Hope that helps,
> Kuba.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe