On Tue, Dec 9, 2008 at 7:40 PM, David Gibson <[EMAIL PROTECTED]> wrote: > I've implemented a first cut at adding support to libpcap to capture > from the Linux /dev/input/event* (evdev) devices. Draft patch is > included below. > > However, I've realised there's a problem. Since it's an internal-only > protocol, the evdev devices return packets which are in native-endian > format. Obviously that's problematic once the packets go into pcap > files which could be moved to other machines. > > As I see it, I have 3 options here: > 1. Ask for a second DLT_ value, and use different DLT values > for the capture depending on the endianness of the capturing machine. > 2. Covert the packets at capture time to either little or > big-endian (arbitrary choice). > 3. Capture and record in native-endian, and rely on programs > reading the pcap file to deduce the endianness from other data. This > will generally be possible in practice because the 16-bit 'type' field > has no assigned values above 0xff. > > I'm inclined towards option (2), but I don't know if there's a > pre-existing libpcap rule of thumb about this sort of thing. >
I think 3 is a fair choice. There are several examples of protocols in wireshark already where it has to resort to heuristics like that in order to determine how to decode the packets. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
