Re: Linux evdev capture support (draft patch)

[David Gibson <david () gibson dropbear id au>]

On Tue, Dec 09, 2008 at 08:47:18PM +1100, ronnie sahlberg wrote:
> On Tue, Dec 9, 2008 at 7:40 PM, David Gibson
> <david () gibson dropbear id au> wrote:
> > I've implemented a first cut at adding support to libpcap to capture
> > from the Linux /dev/input/event* (evdev) devices.  Draft patch is
> > included below.
> >
> > However, I've realised there's a problem.  Since it's an internal-only
> > protocol, the evdev devices return packets which are in native-endian
> > format.  Obviously that's problematic once the packets go into pcap
> > files which could be moved to other machines.
> >
> > As I see it, I have 3 options here:
> >        1. Ask for a second DLT_ value, and use different DLT values
> > for the capture depending on the endianness of the capturing machine.
> >        2. Covert the packets at capture time to either little or
> > big-endian (arbitrary choice).
> >        3. Capture and record in native-endian, and rely on programs
> > reading the pcap file to deduce the endianness from other data.  This
> > will generally be possible in practice because the 16-bit 'type' field
> > has no assigned values above 0xff.
> >
> > I'm inclined towards option (2), but I don't know if there's a
> > pre-existing libpcap rule of thumb about this sort of thing.
>
> I think 3 is a fair choice.
> There are several examples of protocols in wireshark already where it
> has to resort to heuristics like that in order to determine how to
> decode the packets.

Hrm, I guess.  I'm uneasy about it, since 0 is a valid value for that
field, so you won't always be able to tell from a single packet.

-- 
David Gibson                    | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
                                | _way_ _around_!
http://www.ozlabs.org/~dgibson
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.