I'm in the middle of writing a Wireshark dissector for a custom protocol. However, I have a field which is a unsigned 32-bit integer. It's actually transmitted in little endian form. How do I force Wireshark to interpret it as such?
i.e. my hf_register_info struct contains
&hf_foo_length,
{ "Length",开发者_JAVA百科 "foo.length", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }
And in the dissect function I'm calling
proto_tree_add_item(foo_tree, hf_foo_length, tvb, offset, 4, FALSE);
To answer my last question. I discovered that if the last parameter of proto_tree_add_item if non-zero will make it interpret the field as little-endian.
See proto.h
/*
* We might also, in the future, want to allow a field specifier to
* indicate the encoding of the field, or at least its default
* encoding, as most fields in most protocols always use the
* same encoding (although that's not true of all fields, so we
* still need to be able to specify that at run time).
*
* So, for now, we define ENC_BIG_ENDIAN and ENC_LITTLE_ENDIAN as
* bit flags, to be combined, in the future, with other information
* to specify the encoding in the last argument to
* proto_tree_add_item(), and possibly to specify in a field
* definition (e.g., ORed in with the type value).
*
* Currently, proto_tree_add_item() treats its last argument as a
* Boolean - if it's zero, the field is big-endian, and if it's non-zero,
* the field is little-endian - and other code in epan/proto.c does
* the same. We therefore define ENC_BIG_ENDIAN as 0x00000000 and
* ENC_LITTLE_ENDIAN as 0x80000000 - we're using the high-order bit
* so that we could put a field type and/or a value such as a character
* encoding in the lower bits.
*/
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论