将 FT_UNIT32 字段解释为小端

发布于 2024-10-16 16:24:10 字数 356 浏览 3 评论 0原文

我正在为自定义协议编写 Wireshark 解析器。但是，我有一个无符号 32 位整数字段。它实际上是以小端形式传输的。我如何强制 Wireshark 如此解释它？

即我的 hf_register_info 结构包含

&hf_foo_length,
{ "Length", "foo.length", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }

在我调用的解剖函数中

proto_tree_add_item(foo_tree, hf_foo_length, tvb, offset, 4, FALSE);

原文

I'm in the middle of writing a Wireshark dissector for a custom protocol.
However, I have a field which is a unsigned 32-bit integer. It's actually transmitted in little endian form. How do I force Wireshark to interpret it as such?

i.e. my hf_register_info struct contains

&hf_foo_length,
{ "Length", "foo.length", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }

And in the dissect function I'm calling

proto_tree_add_item(foo_tree, hf_foo_length, tvb, offset, 4, FALSE);

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

我很坚强 2024-10-23 16:24:10

回答我的最后一个问题。我发现，如果 proto_tree_add_item 的最后一个参数非零，则会使其将该字段解释为小端。

参见proto.h

/*
 * We might also, in the future, want to allow a field specifier to
 * indicate the encoding of the field, or at least its default
 * encoding, as most fields in most protocols always use the
 * same encoding (although that's not true of all fields, so we
 * still need to be able to specify that at run time).
 *
 * So, for now, we define ENC_BIG_ENDIAN and ENC_LITTLE_ENDIAN as
 * bit flags, to be combined, in the future, with other information
 * to specify the encoding in the last argument to
 * proto_tree_add_item(), and possibly to specify in a field
 * definition (e.g., ORed in with the type value).
 *
 * Currently, proto_tree_add_item() treats its last argument as a
 * Boolean - if it's zero, the field is big-endian, and if it's non-zero,
 * the field is little-endian - and other code in epan/proto.c does
 * the same.  We therefore define ENC_BIG_ENDIAN as 0x00000000 and
 * ENC_LITTLE_ENDIAN as 0x80000000 - we're using the high-order bit
 * so that we could put a field type and/or a value such as a character
 * encoding in the lower bits.
 */

To answer my last question. I discovered that if the last parameter of proto_tree_add_item if non-zero will make it interpret the field as little-endian.

See proto.h

/*
 * We might also, in the future, want to allow a field specifier to
 * indicate the encoding of the field, or at least its default
 * encoding, as most fields in most protocols always use the
 * same encoding (although that's not true of all fields, so we
 * still need to be able to specify that at run time).
 *
 * So, for now, we define ENC_BIG_ENDIAN and ENC_LITTLE_ENDIAN as
 * bit flags, to be combined, in the future, with other information
 * to specify the encoding in the last argument to
 * proto_tree_add_item(), and possibly to specify in a field
 * definition (e.g., ORed in with the type value).
 *
 * Currently, proto_tree_add_item() treats its last argument as a
 * Boolean - if it's zero, the field is big-endian, and if it's non-zero,
 * the field is little-endian - and other code in epan/proto.c does
 * the same.  We therefore define ENC_BIG_ENDIAN as 0x00000000 and
 * ENC_LITTLE_ENDIAN as 0x80000000 - we're using the high-order bit
 * so that we could put a field type and/or a value such as a character
 * encoding in the lower bits.
 */

回复收藏 0 原文

~没有更多了~