tcpdump mailing list archives
Re: [PATCH] various fix for usb sniffing
From: Guy Harris <guy () alum mit edu>
Date: Mon, 15 Jan 2007 01:32:24 -0800
Abeni Paolo wrote:
1) the host reading a capture file can determine the byte order of the host on which the capture was done,I did not know this. Can you plase explain me how ?
The file header in a libpcap file starts with a magic number to indicate that it's a libpcap file; the magic number is written in the host byte order of the host doing the capture, so libpcap and Wireshark's Wiretap library check for both possible byte orders of the magic number. If the magic number is byte-swapped from the "correct" byte order, the file is assumed to have been written on a host with the opposite byte order.
The fields in the per-file and per-packet header are written in the host byte order of the host doing the capture (I seem to remember some document saying this was done to reduce the CPU effort required on the capturing host), so if the file being read was written on a host with the opposite byte order, the values of those fields are byte-swapped by libpcap and Wireshark.
In libpcap, sf_next_packet() in savefile.c could check for a p->linktype value of DLT_USB_LINUX and, if it has that value, and p->sf.swapped is non-zero, assume the packet data begins with a Linux-style USB header and byte-swap it. (Note: it shouldn't assume that it necessarily begins with a *complete* USB header - hdr->caplen give the actual number of bytes of packet data, including the USB header, that are present.)
In Wireshark, libpcap_read() and libpcap_seek_read() should, after the packet data is read, check whether wth->file_encap is WTAP_ENCAP_USB and, if so, and if wth->capture.pcap->byte_swapped is non-zero, do the same byte swapping (again, note that the entire header isn't necessarily present).
(So, if this is the way, I can update the wireshark dissector accordingly).
The dissector would assume that the packet header is in host byte order, which it will automatically be when doing a live capture, and which the libpcap_read() and libpcap_seek_read() changes will ensure is the case when reading a capture file.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- [PATCH] various fix for usb sniffing Abeni Paolo (Jan 14)
- Re: [PATCH] various fix for usb sniffing Guy Harris (Jan 14)
- Re: [PATCH] various fix for usb sniffing Abeni Paolo (Jan 14)
- Re: [PATCH] various fix for usb sniffing Guy Harris (Jan 15)
- Re: [PATCH] various fix for usb sniffing Abeni Paolo (Jan 15)
- [PATCH] cleanup usb_platform_finddevs() Abeni Paolo (Jan 16)
- Re: [PATCH] cleanup usb_platform_finddevs() Guy Harris (Jan 17)
- Re: [PATCH] various fix for usb sniffing Abeni Paolo (Jan 14)
- Re: [PATCH] various fix for usb sniffing Guy Harris (Jan 14)