Re: byte order

[Guy Harris <gharris () sonic net>]

On Fri, Dec 06, 2002 at 01:00:11PM -0500, James S. Johnson wrote:
> I am running tcpdump-3.7.1 with libpcap-0.7.1 on an i686.  tcpdump displays 
> data in sixteen bit units, e.g.
> 0x0000   011e 5430 0001 0013 ...
>
> It is my understanding that octets on an ethernet line come off the wire most 
> significant bit first (they are "bitwise big endian") but which octet in the 
> sixteen bit unit comes off the wire first?

The uppermost octet.  Tcpdump really displaying octets but not bothering
to put spaces in between odd-numbered and even-numbered octets
("odd-numbered" in the 1-origin sense, i.e.  the first octet is an
odd-numbered octet).

For example, IPv4 packets often show up starting with "45xx", with the
45 being the version/length field, which is the first octet in the IPv4
header.

> In the example above, is it:
>
> (first bit off the wire on the left)
> 0000 0001 0001 1110  (01 first, then 1e)

Yes.

This is independent of the link layer type, obviously.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe