Re: Failing tcpdump 4.5.1 testsuite

[Guy Harris <guy () alum mit edu>]

On Dec 1, 2013, at 3:32 AM, Romain Francoise <romain () orebokech com> wrote:

> - the nflog-e testcase requires a little-endian host, the NFLOG TLV
>  length is in host byte order and the capture file was generated on a
>  little-endian machine, so it can't be read successfully on a
>  big-endian build host.

That means that the libpcap code should, if the byte order of the host that generated (that section of) the file is 
different from the byte order of the host on which the code is running, byte-swap the TLVs.

If the TLV *data* is in host byte order, however, I would suggest that libpcap refuse to allow LINKTYPE_NFLOG files to 
be opened if the byte order of the file (if pcap) or the first section of the file (if pcap-ng) isn't the byte order of 
the host running the code.  Having the host get the byte order by calling pcap_is_swapped() wouldn't be sufficient if, 
for example, a program running on a host with a different byte order from the byte order of the capture file reads the 
file and writes out a modified version of the file, unless that program either byte-swaps the file or writes it out 
with a byte order indication appropriate for the host on which the capture is done.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers