On Jan 10, 2014, at 11:21 AM, Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> wrote:
> In packet-nflog.c I'm trying to guess endianess (nflog_tvb_byte_order())
Sadly, nflog doesn't have a fixed amount of fixed-format data that is in host byte order, with everything else in a standard byte order, so guessing the byte endianness is the best you can do.
Guessing the byte endianness requires at least one field where the maximum value requires fewer bits than the field size, so that some bits are guaranteed to be zero, and where at least one of those bytes is guaranteed to be *non-zero* in a byte-swapped version of a valid value. For example, a value that won't be > 65535, in a 4-byte field that's never zero, would be sufficient.
If there is no such field, and there's a fixed amount of fixed-format data in host byte order, you need to do the byte-swap-on-read that libpcap and libwiretap do.
