ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] network byte order

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 5 May 2011 11:52:42 -0700
On May 5, 2011, at 11:39 AM, Brian Oleksa wrote:

> Most network traffic is in network byte order and uses Big-Endian.

Actually, lots of network traffic is plain text or raw binary data (HTTP, for example), and SMB/SMB2 are little-endian except for the raw binary data (read and write payload) - there are other protocols that use little-endian values as well.

> I am trying to dissect a packet that uses Little-Endian.

Not a problem.  Either

	1) you're fetching values from the packet, and thus converting them from whatever byte order it's in to *host* byte order, in which case:

		for big-endian integral values, you use tvb_get_ntohs() for 2-byte values, tvb_get_ntoh24() for 3-byte values, tvb_get_ntohl() for 4-byte values, tvb_get_ntoh40() for 5-byte values, tvb_get_ntoh48() for 6-byte values, tvb_get_ntoh56() for 7-byte values, and tvb_get_ntoh64() for 8-byte values;

		for big-endian IEEE floating-point values, you use tvb_get_ntohieee_float() for single precision and tvb_get_ntohieee_double() for double-precision;

		for little-endian integral values, you use tvb_get_letohs() for 2-byte values, tvb_get_letoh24() for 3-byte values, tvb_get_letohl() for 4-byte values, tvb_get_letoh40() for 5-byte values, tvb_get_letoh48() for 6-byte values, tvb_get_letoh56() for 7-byte values, and tvb_get_letoh64() for 8-byte values;

		for little-endian IEEE floating-point values, you use tvb_get_letohieee_float() for single precision and tvb_get_letohieee_double() for double-precision;

or

	2) you're just using proto_tree_add_item(), in which case for big-endian values you pass ENC_BIG_ENDIAN as the last argument and for little-endian values you pass ENC_LITTLE_ENDIAN as the last argument.

> Before I write my own "bit decoder"...is there any built in functions that will "convert" Little-Endian to Big-Endian for me..??

No, because that's not what you want to do.  You want either to fetch data and convert it to *host* byte order if you're going to look at the value in your code (for example, a message type value, which you need in order to determine the format of the rest of the message) or just use proto_tree_add_item() if you're just adding the value to the protocol tree.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube