将FT_UNIT32字段解释为little endian

Question

我正在为自定义协议编写Wireshark解析器。 但是，我有一个字段是一个无符号的32位整数。它实际上是以小端形式传输的。我如何强制Wireshark解释它？

即我hf_register_info结构包含

&hf_foo_length, 
{ "Length", "foo.length", FT_UINT32, BASE_DEC, 
NULL, 0x0, NULL, HFILL } 

而在解剖功能我打电话

proto_tree_add_item(foo_tree, hf_foo_length, tvb, offset, 4, FALSE); 

Answer 1

回答我的最后一个问题。我发现如果proto_tree_add_item的最后一个参数如果非零将使它将该字段解释为little-endian。

见proto.h

/* 
* We might also, in the future, want to allow a field specifier to 
* indicate the encoding of the field, or at least its default 
* encoding, as most fields in most protocols always use the 
* same encoding (although that's not true of all fields, so we 
* still need to be able to specify that at run time). 
* 
* So, for now, we define ENC_BIG_ENDIAN and ENC_LITTLE_ENDIAN as 
* bit flags, to be combined, in the future, with other information 
* to specify the encoding in the last argument to 
* proto_tree_add_item(), and possibly to specify in a field 
* definition (e.g., ORed in with the type value). 
* 
* Currently, proto_tree_add_item() treats its last argument as a 
* Boolean - if it's zero, the field is big-endian, and if it's non-zero, 
* the field is little-endian - and other code in epan/proto.c does 
* the same. We therefore define ENC_BIG_ENDIAN as 0x00000000 and 
* ENC_LITTLE_ENDIAN as 0x80000000 - we're using the high-order bit 
* so that we could put a field type and/or a value such as a character 
* encoding in the lower bits. 
*/