On Dec 9, 2011, at 3:11 PM, Akos Vandra wrote:
> For my thesis project I am trying to get a new type of data source,
> ARM TPIU trace messages to work with wireshark.
>
> I am starting of getting the hang of how libpcap works, however a
> strange problem arose, that I don't know how would be best handled.
>
> "On the wire", there are fix, 16-byte frames. However these frames
> don't contain any useful data, they only act as a container for
> smaller data packets, which are packed, and sent together.
...
> Also, sometimes these
> "sub-packets" are not within a single 16-byte frame, sometimes they
> are split, if the remaining space in the 16-byte frame is too small
> for the packet to fit.
So if those 16-byte frames have no internal structure (for example, you don't have a time stamp in each frame), but are just like, for example, the line boundaries in a hex dump, my inclination would be to have the pcap module break the byte stream into packets, even if that means that it needs to buffer a partial packet in a case where a 16-byte frame contains the beginning of a packet but not the end of the packet.
