On Dec 11, 2011, at 2:21 PM, Akos Vandra wrote:
> I thought I will decode these timestamp messages, and use them to
> construct the pcap_pkthdr structure's ts field, as the arrival time
> cannot be manipulated later from within a dissector
That's probably the best thing to do. "X us have passed" probably aren't, in and of themselves, interesting events.
> What do you mean I have to provide a description of the messages? They
> just contain the message source ID (there are multiple trace sources
> within the trace peripheral for hardware messages, software
> (printf-like) messages, and instruction tracing), and the message raw
> data, nothing special.
Then you'd say that a message consists of an n-byte message source ID in whatever byte order it's in if n > 1, followed by some number of bytes of payload; a reference to an ARM document, even if you have to be a Registered Customer to see it, would suffice as a description of the payload. Presumably the number of bytes of payload would be the total packet length minus the length of the message source ID.
See
http://www.tcpdump.org/linktypes.html
for examples of how link-layer header types are described.