Ethereal-users: [Ethereal-users] tcpdump/libpcap file format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Tim Everitt" <tim.everitt@xxxxxxxx>
Date: Fri, 22 Aug 2003 11:56:23 +0100
The recent correspondence on the tcpdump/libpcap file formats got me
interested... and then puzzled!

I captured a single ping request and response on my Ethereal 0.9.9 on
RHLinux 7.3 on Intel (little endian).

I then used hexdump to take a look inside the saved tcpdump/libpcap file.

The file and packets headers are clear but the body of the packets is a
puzzle as savefile.c is very clear that "Note that the packets are always
written in network byte order".

In my file, a packet that would be 1, 2, 3, 4, 5, 6, 7, 8, etc. in network
byte order
appears in the file as 2, 1, 4, 3, 6, 5, 8, 7, etc.

This looks to me as if the packet has been treated as a set of short (2
byte) unsigned integers which have then been written to the file in host
byte order [little-endian on my system].

Anyone able to clarify this ridiculously trivial posting about a superb
system?

Tim Everitt.










Tim Everitt