Wireshark-users: Re: [Wireshark-users] ICMP Echo Requests & Replies - multiple Identifier & Seque

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 24 Feb 2011 12:46:32 +0100
On 24 feb 2011, at 12:30, Keith French wrote:

> I have recently seen in Wireshark when looking at an echo request/reply pair, that instead of the identification/sequence numbers used to tie the two packets together, there are now two identifiers and two sequence numbers:-
>  
> Identifier (BE): 512 (0x0200)
> Identifier (LE): 2 (0x0002)
> Sequence number (BE): 4352 (0x1100)
> Sequence number (LE): 17 (0x0011)
>  
> What do the BE & LE signify & how do you use them to tie up the request & reply?

The BE and LE stand for Big Endian and Little Endian [1]. Depending on the OS that generated the Identifier and Sequence numbers, they are in Big Endian or Little Endian order. To make checking for missing sequences (or process ID's in case of the Identifier on some OS'es) easier, we now supply both the BE en LE representation.

Cheers,

Sake

[1]    http://en.wikipedia.org/wiki/Endianness