On Jan 10, 2014, at 4:33 AM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:
> Is there option to dissector know byte order of... "interface"?
No.
For live capture on a local interface, the byte order is the machine's byte order.
For reading pcap and pcap-ng files, the byte order in the file is changed to the byte order of the machine in the pcap_read_post_process() routine in wiretap/pcap-common.c before the packet is handed to the caller of libwiretap.
So, in the dissector, the data is in the machine's byte order.
This is also done in libpcap in pcap_next_packet() and pcap_ng_next_packet() (which should be done with common code).
Doing it this way also allows programs that read and write capture files, running on a machine with a byte order that's the opposite of the byte order of the machine that wrote the file being read, to write out a file where the byte order in the file (for pcap) or file section (for pcap-ng) matches the byte order of the packet data (otherwise, they can get out of sync, which would cause the program that reads the output file to misdissect it).
