[pcap-ng-format] The spec does not make it clear what format the block total length is in
Richard Sharpe
realrichardsharpe at gmail.com
Sat May 12 15:26:28 PDT 2012
On Sat, May 12, 2012 at 3:18 PM, Guy Harris <guy at alum.mit.edu> wrote:
>
> On May 12, 2012, at 1:16 PM, Richard Sharpe wrote:
>
>> In reading this document:
>> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
>>
>> it does not make it clear whether or not the block total length is
>> little endian, big endian, or you have to read the endian magic in the
>> SHB to figure that out.
>
> You have to read the endian magic in the SHB to figure that out. pcap-ng is like pcap
> in that regard.
>
> The spec should state up front that the byte order for all multi-byte fields in blocks in a
> section is indicated by the byte-order magic in the SHB for that section.
Yes, I think that the spec should make this really clear.
[Useful algorithm removed ...]
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the pcap-ng-format
mailing list