將FT_UNIT32字段解釋爲little endian

Question

我正在爲自定義協議編寫Wireshark解析器。 但是，我有一個字段是一個無符號的32位整數。它實際上是以小端形式傳輸的。我如何強制Wireshark解釋它？

即我hf_register_info結構包含

&hf_foo_length, 
{ "Length", "foo.length", FT_UINT32, BASE_DEC, 
NULL, 0x0, NULL, HFILL } 

而在解剖功能我打電話

proto_tree_add_item(foo_tree, hf_foo_length, tvb, offset, 4, FALSE); 

Answer 1

回答我的最後一個問題。我發現如果proto_tree_add_item的最後一個參數如果非零將使它將該字段解釋爲little-endian。

見proto.h

/* 
* We might also, in the future, want to allow a field specifier to 
* indicate the encoding of the field, or at least its default 
* encoding, as most fields in most protocols always use the 
* same encoding (although that's not true of all fields, so we 
* still need to be able to specify that at run time). 
* 
* So, for now, we define ENC_BIG_ENDIAN and ENC_LITTLE_ENDIAN as 
* bit flags, to be combined, in the future, with other information 
* to specify the encoding in the last argument to 
* proto_tree_add_item(), and possibly to specify in a field 
* definition (e.g., ORed in with the type value). 
* 
* Currently, proto_tree_add_item() treats its last argument as a 
* Boolean - if it's zero, the field is big-endian, and if it's non-zero, 
* the field is little-endian - and other code in epan/proto.c does 
* the same. We therefore define ENC_BIG_ENDIAN as 0x00000000 and 
* ENC_LITTLE_ENDIAN as 0x80000000 - we're using the high-order bit 
* so that we could put a field type and/or a value such as a character 
* encoding in the lower bits. 
*/