Wireshark · Wireshark-users: [Wireshark-users] Setting up fields with little endianess for a custom dissector

Wireshark-users: [Wireshark-users] Setting up fields with little endianess for a custom dissector

From: Leandro Lucarella <llucax@xxxxxxxxx>

Date: Mon, 17 Mar 2008 15:25:27 -0300

Hi!

I'm making a custom wireshark dissector (in LUA), but I have a problem.The protocol is for a TIPC cluster, so it uses the host byte order(little endian in our case) but when I add fields to the protocol treeit seems that all the fields are interpreted as big endian.


Is there any way to change that behavior?

What I specifically do is:

local pf = ProtoField.uint32('myproto.somefield', 'Some Field')

function dissect(buffer, pinfo, tree)
    local subtree = tree:add(proto, buffer(), "My Protocol")
    subtree:add(pf, buffer(0, 4))
end

I think, speaking in C, this is something like:

static int hf_somefield = -1;
static hf[] = {
    { &hf_somefield,
        { "Some Field", "myproto.somefield",
        FT_UINT32, BASE_DEC,
        NULL, 0x0,
        NULL, HFILL }
    }
};

// etc.

But I still can't find a way to tell (looked at FT_* and BASE_*constants) wireshark to interpret the field as little endian.


Any ideas on how to do that?

TIA.

Follow-Ups:
- [Wireshark-users] tshark -Ttext output
  - From: Rob MacKenzie
- Re: [Wireshark-users] Setting up fields with little endianess for a custom dissector
  - From: Guy Harris

Prev by Date: [Wireshark-users] windows script to convert snoop to pcap
Next by Date: [Wireshark-users] tshark -Ttext output
Previous by thread: Re: [Wireshark-users] windows script to convert snoop to pcap
Next by thread: [Wireshark-users] tshark -Ttext output
Index(es):
- Date
- Thread