On Dec 1, 2013, at 3:32 AM, Romain Francoise <rom...@orebokech.com> wrote:
> - the nflog-e testcase requires a little-endian host, the NFLOG TLV > length is in host byte order and the capture file was generated on a > little-endian machine, so it can't be read successfully on a > big-endian build host. That means that the libpcap code should, if the byte order of the host that generated (that section of) the file is different from the byte order of the host on which the code is running, byte-swap the TLVs. If the TLV *data* is in host byte order, however, I would suggest that libpcap refuse to allow LINKTYPE_NFLOG files to be opened if the byte order of the file (if pcap) or the first section of the file (if pcap-ng) isn't the byte order of the host running the code. Having the host get the byte order by calling pcap_is_swapped() wouldn't be sufficient if, for example, a program running on a host with a different byte order from the byte order of the capture file reads the file and writes out a modified version of the file, unless that program either byte-swaps the file or writes it out with a byte order indication appropriate for the host on which the capture is done. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
