tcpdump mailing list archives
Re: Ethernet type in wrong byte order
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Wed, 23 Jun 2004 12:25:06 -0400
Claudio Lavecchia wrote:
/* Ethernet header */
struct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN]; // Destination host address
u_char ether_shost[ETHER_ADDR_LEN]; // Source host address
u_short ether_type; // IP? ARP? RARP? etc
};
If I read ethernet encapsulation specifications, I find out that the
value corresponding to a ethernet packet carrying ARP is 0x0806. If I
invert the two bytes of this value I obtain 0x0608 which is 1644 in
decimal notation. So that is obviously a problem in the byte order. If I
sniff ARP packets using ethereal, the ethernet type value is correctly
set to 0x0806, so that means that I have a byte order issue. I am not
very familiar with this kind of issues, can anyone please explain me
what is going on and possibly give me a hint on what is the correct way
to handle this kind of issues?
Intel systems store ints in little-endian format. When you declare a structure field as u_short, the processor reads it in the native format, which is the opposite of how it came across the wire and was actually stored into memory.
Read the man pages for htons and ntohs.Note that if you try to use structures for this kind of thing, you may eventually end up with alignment issues, where, for example, you are trying to read a 2- or 4-byte integer quantity on an odd byte-boundary. Some processor will hoark if you try to do this. So you might want to define handy functions for memcpying values into a short and long and doing the byte-order switch at the same time.
BTW, packet dissectors are especially easy to write in Perl, using the unpack function, and are then invulnerable to pesky buffer overflows. Just install Net::Pcap.
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Ethernet type in wrong byte order Claudio Lavecchia (Jun 23)
- Re: Ethernet type in wrong byte order Jefferson Ogata (Jun 23)