Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] N in 1 packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 11 Dec 2011 15:02:44 -0800
On Dec 11, 2011, at 2:21 PM, Akos Vandra wrote:

> I thought I will decode these timestamp messages, and use them to
> construct the pcap_pkthdr structure's ts field, as the arrival time
> cannot be manipulated later from within a dissector

That's probably the best thing to do.  "X us have passed" probably aren't, in and of themselves, interesting events.

> What do you mean I have to provide a description of the messages? They
> just contain the message source ID (there are multiple trace sources
> within the trace peripheral for hardware messages, software
> (printf-like) messages, and instruction tracing), and the message raw
> data, nothing special.

Then you'd say that a message consists of an n-byte message source ID in whatever byte order it's in if n > 1, followed by some number of bytes of payload; a reference to an ARM document, even if you have to be a Registered Customer to see it, would suffice as a description of the payload.  Presumably the number of bytes of payload would be the total packet length minus the length of the message source ID.

See

	http://www.tcpdump.org/linktypes.html

for examples of how link-layer header types are described.