On Mar 4, 2010, at 7:23 AM, prashanth s wrote:
> I am reading a pcap file and writing to a text file. I am getting a field offset which is supposed to be of three bytes long. How do I read it?
> Should I assume that the three bytes obey the network byte order or are the three bytes of offset are supposed be just read as three bytes of u_char type?
There are no 3-byte fields in the pcap per-packet header, so you must be referring to a field in a packet.
Whether they're a 3-byte integral value in network byte order (big-endian byte order), a 3-byte value in little-endian byte order, 3 one-byte values, a 2-byte integral value in network byte order followed by a 1-byte value, a 2-byte integral value in little-endian byte order followed by a 1-byte value, a 1-byte value followed by a 2-byte value in network byte order, a 1-byte value followed by a 2-byte value in little-endian byte order, etc. is indicated by the specification for the protocol to which that field belongs.
