Re: [tcpdump-workers] Link-Layer Header Type request for USBPcap
OK, 249 assigned for LINKTYPE_USBPCAP/DLT_USBPCAP. You might want to update your description to clarify the points I mentioned - not everybody writing or maintaining code to process this will necessarily be familiar with #pragma pack(), Windows NT IRPs, etc. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] Link-Layer Header Type request for USBPcap
Hello, For the USBPcap project I would like to request a new link-layer header type value: LINKTYPE_USBPCAP DLT_USBPCAP Capture format specification is available at the project website [1] and could be described as pseudo-header for USB packets captured using USBPcap on Microsoft Windows. Regards, Tomasz [1] http://desowin.org/usbpcap/captureformat.html ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Link-Layer Header Type request for USBPcap
On Mar 25, 2013, at 2:48 AM, Tomasz Moń deso...@gmail.com wrote:
For the USBPcap project I would like to request a new link-layer
header type value:
LINKTYPE_USBPCAP
DLT_USBPCAP
Capture format specification is available at the project website [1]
and could be described as pseudo-header for USB packets captured using
USBPcap on Microsoft Windows.
#pragma pack(1)
typedef struct
{
USHORT headerLen; /* This header length */
UINT64 irpId; /* I/O Request packet ID */
So headerLen is at an offset of 0, and irpId is at an offset of 2, right?
o irpId is merely a pointer to IRP casted to the UINT64
I.e., it's an 64-bit cookie whose bits have no particular significance, given
that, within a file, there's nothing for it to point to.
o transfer determines the transfer type and thus the header type. See
below for details.
o dataLength specifies the total length of transfer data to follow
directly after the header.
Transfer-specific headers
Presumably the transfer-specific header follows the
USBPCAP_BUFFER_PACKET_HEADER in the packet data, with the transfer data
following the transfer-specific header.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Link-Layer Header Type request for USBPcap
On Mon, Mar 25, 2013 at 11:08 AM, Guy Harris g...@alum.mit.edu wrote:
#pragma pack(1)
typedef struct
{
USHORT headerLen; /* This header length */
UINT64 irpId; /* I/O Request packet ID */
So headerLen is at an offset of 0, and irpId is at an offset of 2, right?
Exactly.
o irpId is merely a pointer to IRP casted to the UINT64
I.e., it's an 64-bit cookie whose bits have no particular significance, given
that, within a file, there's nothing for it to point to.
Yes. It is provided so it could be used to pair the requests with
responses in analysis software.
o transfer determines the transfer type and thus the header type. See
below for details.
o dataLength specifies the total length of transfer data to follow
directly after the header.
Transfer-specific headers
Presumably the transfer-specific header follows the
USBPCAP_BUFFER_PACKET_HEADER in the packet data, with the transfer data
following the transfer-specific header.
Actually, all transfer-specific headers inherit the base packet header.
But yes, first there is the USBPCAP_BUFFER_PACKET_HEADER, then (if
any) the transfer-specific header members not contained in
USBPCAP_BUFFER_PACKET_HEADER, and then the transfer data.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
