sr wrote:
I have two identical files, one in big-endian, the other in
little-endian formats.
I assume you're talking about libpcap-format files.
The version number is the same 0x02000400 in
both. Wireshark reads both files. Does it mean that the version number
is not parsed?
No, because it *is* parsed.
However, Wireshark doesn't require that the major and minor version
number be in a narrow range of values - it does check for some
particular values, but it accepts just about any value, as long as the
major version number is 2 or greater. Libpcap does most of the same
stuff that Wireshark does - and doesn't do any additional version number
checks - so libpcap-based applications such as tcpdump should also read
both files.
If the major version number is 0x02 0x00 and the minor version number is
0x04 0x00 in a big-endian capture, it will appear to have a major
version number of 512 and a minor version number of 1024.
However, whatever program wrote the big-endian file should be fixed to
write out the version number correctly, just in case some other
software, or some future version of Wireshark or libpcap, makes more
checks of the version number.