tcpdump mailing list archives
Re: byte order
From: Guy Harris <gharris () sonic net>
Date: Sun, 8 Dec 2002 13:38:01 -0800
On Fri, Dec 06, 2002 at 01:00:11PM -0500, James S. Johnson wrote:
I am running tcpdump-3.7.1 with libpcap-0.7.1 on an i686. tcpdump displays data in sixteen bit units, e.g. 0x0000 011e 5430 0001 0013 ... It is my understanding that octets on an ethernet line come off the wire most significant bit first (they are "bitwise big endian") but which octet in the sixteen bit unit comes off the wire first?
The uppermost octet. Tcpdump really displaying octets but not bothering to put spaces in between odd-numbered and even-numbered octets ("odd-numbered" in the 1-origin sense, i.e. the first octet is an odd-numbered octet). For example, IPv4 packets often show up starting with "45xx", with the 45 being the version/length field, which is the first octet in the IPv4 header.
In the example above, is it: (first bit off the wire on the left) 0000 0001 0001 1110 (01 first, then 1e)
Yes. This is independent of the link layer type, obviously. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- byte order James S. Johnson (Dec 06)
- Re: byte order Guy Harris (Dec 08)