On Fri, Jan 10, 2014 at 2:21 PM, Jakub Zawadzki <[email protected]> wrote: > Hi, > > On Fri, Jan 10, 2014 at 01:33:49PM +0100, Michal Labedzki wrote: >> Probably PCAP/PCAPNG have ordering info by magic bytes, but I do not >> know how to do that while live capturing (current code work for this >> case) > > Still magic numbers are always saved in current host endianess ;| > > So if you (re)save capture file in wireshark (e.g. after adding comment), > it'll be no longer properly dissected.
Perhaps we should add an option to Pcapng to store original-host-endianess as well, ie something that persists in this case? >> Possible solutions: >> 1. Wireshark already support byte-ordering information for dissectors >> (anyone seen, anyone knows?) > > In packet-nflog.c I'm trying to guess endianess (nflog_tvb_byte_order()) > > > You probably can do the same, looking at dissect_linux_usb_pseudo_header() > > I'm guessing that: > - usb_urb_ts_sec - I think you can assume that all time are smaller than > 0xFFFFFFFF, > which for valid captures will be correct to about: 'Sun > Feb 7 07:28:15 CET 2106', > > - usb_urb_ts_usec must be < 1000000 (false detection only for 256 values), > > - usb_status must be 0 or have high bit set (false detection only for > -EPERM), > > - usb_urb_len, usb_urb_data_len - must be some sane values (?). > > Hope that helps, > Kuba. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
