Wireshark-dev: Re: [Wireshark-dev] adding a byte order preference for packet-usb.c?
Charles Lepple wrote:
I was trying to convert a usbsnoop USB capture log into pcap format
(BTW, text2pcap is very nifty), and I realized that usbsnoop is not
byte-swapping the setup packet fields as this comment from the top of
packet-usb.c implies:
/* Man this is suboptimal.
* The USB Header and the setup data are BIG ENDIAN
* but all the real usb data is LITTLE ENDIAN.
*/
(usbsnoop presents the USB header fields separately, not as a sequence
of bytes, so there is no ambiguity there.)
Granted, since wirecap cannot read usbsnoop logfiles directly, the
byte-swapping could be done in whatever tool translates the data to
pcap format, but I am sure that there are other USB protocol analyzer
users out there who are expecting the setup packet to be in
little-endian format, as it is on the wire.
It doesn't look like this dissector has any preferences registered
yet. Would anyone object to a patch that adds a preference for
byte-swapping? (The default could be set to match the current
behavior.)
Hi Charles!
Glad to hear that someone is working on this, I guess there's some more
general interest (at least for me playing around :-).
IMHO, adding a preference for this is suboptimal - one needs to know
that this is existing and which setting is required for the current file
- and if you are working with both formats (Windows usbsnoop and Linux
capture files) you'll have to change this setting all the time.
Is there a better way to detect this at runtime? Maybe a field in the
data that only makes sense in one endianess to automatically detect it?
Or change the endianess while converting to libpcap?
BTW: Could you give some more general infos?
Which usbsnoop do you use? Please with URL, there seems to be more than
one version out there.
How do you convert the file using text2pcap (which settings / scripts)?
Maybe adding the file format directly into wiretap (ok, long term goal)?
Did you notice the Wiki page already existing about this topic? You
might add some notes to http://wiki.wireshark.org/CaptureSetup/USB about
your current progress.
Do you see a chance to convince the usbsnoop author(s) to export
directly to libpcap format? It might be in their own interest ;-)
I was thinking about experimenting with this myself, but lack of time -
and no real knowledge of the USB protocol in general :-( ...
Regards, ULFL