Fabiano Ricci <fabiano.ricci@...> writes:
> > You can let the user configure the filter by preferences.
A preference is a good idea; however, it does require that the user manually
change it to match the packets, and it doesn't allow for both big-endian and
little-endian packets to be analyzed within the same capture file, which may
or may not be important to you.
Heuristics are sometimes unreliable though and sometimes [nearly to totally]
impossible. If that's the case, then a preference is the way to go. On the
other hand, if there is a more-or-less sure way to determine endian-ness by
examining the data in the packets, then you remove the burden from the user
as well as allow for the possibility of both big-endian and little-endian
packets to be successfully analyzed in the same capture file without any
problems.
Of course, even if you do add heuristics to determine endian-ness, you could
add a preference too, which could override the heuristics in the event that
the heuristics got it wrong.
Read more about heuristics in doc/README.heuristic. There are plenty of
examples in the Wireshark sources too.
- Chris