Wireshark-users: Re: [Wireshark-users] Implementation of DCERPC protocol

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 23 Feb 2012 12:14:44 -0800
On Feb 23, 2012, at 12:51 AM, rahul sharma wrote:

> 1> What does the Byte order to be Little Endian specify?

It specifies that all multi-byte integral and floating-point values are in little-endian format within the DCE RPC request or reply in question.  To quote the DCE RPC spec:

	http://pubs.opengroup.org/onlinepubs/009629399/chap14.htm

"NDR represents signed integers in twos complement format and represents unsigned integers as unsigned binary numbers. There are two integer formats: big-endian and little-endian. If the integer format is big-endian, the octets of the representation are ordered in the octet stream from the most significant octet to the least significant octet. If the integer format is little-endian, the octets of the representation are ordered in the octet stream from the least significant octet to the most significant octet."

Unlike ONC RPC, DCE RPC doesn't use a single standard byte order when encoding values; instead, it uses "receiver makes it right", so that the data is transmitted in the byte order of the sending host, and the receiving host has to translate that into its byte order if necessary.  (It also uses "receiver makes it right" for floating-point numbers - the sender transmits the number in its own format, whether that's IEEE binary, PDP-11/VAX format, Cray format, or IBM System/3x0 format.  Presumably if it supports multiple formats, as Alpha-based machines and later System/390 and all z/Architecture machines do, it uses whatever format the program is using.)