[pcap-ng-format] The spec does not make it clear what format the block total length is in

[Guy Harris]

On May 12, 2012, at 1:16 PM, Richard Sharpe wrote:

> In reading this document:
> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
> 
> it does not make it clear whether or not the block total length is
> little endian, big endian, or you have to read the endian magic in the
> SHB to figure that out.

You have to read the endian magic in the SHB to figure that out.  pcap-ng is like pcap in that regard.

The spec should state up front that the byte order for all multi-byte fields in blocks in a section is indicated by the byte-order magic in the SHB for that section.

This means that code that reads blocks should:

	read the first 4 octets of the block (if there are 0 octets left, that's an EOF; otherwise, it's an incorrect file);

	if those octets are 0x0A0D0D0A, it's an SHB:

		the code should read the next 8 octets, check for a valid byte-order magic number - if it doesn't see one, then:

			if this is the first block in the file, it's not a pcap-ng file;

			otherwise, the rest of the file is invalid;

		and, if it's a valid byte-order magic number, use that byte order for the rest of the fields in the SHB and in all subsequent blocks until the next SHB, and then check the length field of the SHB to make sure it's at least 28 (if not, the SHB and the rest of the file is invalid);

	if those octets aren't 0x0A0D0D0A, process it using the current byte order.