I was trying to convert a usbsnoop USB capture log into pcap format
(BTW, text2pcap is very nifty), and I realized that usbsnoop is not
byte-swapping the setup packet fields as this comment from the top of
packet-usb.c implies:
/* Man this is suboptimal.
* The USB Header and the setup data are BIG ENDIAN
* but all the real usb data is LITTLE ENDIAN.
*/
(usbsnoop presents the USB header fields separately, not as a sequence
of bytes, so there is no ambiguity there.)
Granted, since wirecap cannot read usbsnoop logfiles directly, the
byte-swapping could be done in whatever tool translates the data to
pcap format, but I am sure that there are other USB protocol analyzer
users out there who are expecting the setup packet to be in
little-endian format, as it is on the wire.
It doesn't look like this dissector has any preferences registered
yet. Would anyone object to a patch that adds a preference for
byte-swapping? (The default could be set to match the current
behavior.)
--
- Charles Lepple
