tcpdump mailing list archives
Ethernet type in wrong byte order
From: "Claudio Lavecchia" <Claudio.Lavecchia () eurecom fr>
Date: Wed, 23 Jun 2004 16:26:12 +0200
Hello, I am using libpcap to build a sniffer. I define an ethernet header as follows : /* Ethernet header */ struct sniff_ethernet { u_char ether_dhost[ETHER_ADDR_LEN]; // Destination host address u_char ether_shost[ETHER_ADDR_LEN]; // Source host address u_short ether_type; // IP? ARP? RARP? etc }; The packets I sniff are then encapsulated in the standard way: the ethernet header precedes the Ip header, then follows the TCP header and then the payload. Up to here, nothing strange, I just got inspired by the sniffer code that is available on the web and that appeared several times in this forum. In my sniffer code I open a sniffing session in the standard libpcap way, everything seems to run smoothly. I run the sniffer on a redhat 7.3 Linux. I use libnet libraries to generate packets that I sniff, so that I can easily debug what happens. If I put an ARP packet on the wire, the sniffer will sniff a packet that contains value 1644 in the ethernet type field of the structure sniff_ethernet described above. If I read ethernet encapsulation specifications, I find out that the value corresponding to a ethernet packet carrying ARP is 0x0806. If I invert the two bytes of this value I obtain 0x0608 which is 1644 in decimal notation. So that is obviously a problem in the byte order. If I sniff ARP packets using ethereal, the ethernet type value is correctly set to 0x0806, so that means that I have a byte order issue. I am not very familiar with this kind of issues, can anyone please explain me what is going on and possibly give me a hint on what is the correct way to handle this kind of issues? Thank you Claudio
Current thread:
- Ethernet type in wrong byte order Claudio Lavecchia (Jun 23)
- Re: Ethernet type in wrong byte order Jefferson Ogata (Jun 23)