Discussion:
ICMP Echo Requests & Replies - multiple Identifier & Sequence numbers
Keith French
2011-02-24 11:30:35 UTC
Permalink
I have recently seen in Wireshark when looking at an echo request/reply pair, that instead of the identification/sequence numbers used to tie the two packets together, there are now two identifiers and two sequence numbers:-

Identifier (BE): 512 (0x0200)
Identifier (LE): 2 (0x0002)
Sequence number (BE): 4352 (0x1100)
Sequence number (LE): 17 (0x0011)

What do the BE & LE signify & how do you use them to tie up the request & reply?
Sake Blok
2011-02-24 11:46:32 UTC
Permalink
Post by Keith French
I have recently seen in Wireshark when looking at an echo request/reply pair, that instead of the identification/sequence numbers used to tie the two packets together, there are now two identifiers and two sequence numbers:-
Identifier (BE): 512 (0x0200)
Identifier (LE): 2 (0x0002)
Sequence number (BE): 4352 (0x1100)
Sequence number (LE): 17 (0x0011)
What do the BE & LE signify & how do you use them to tie up the request & reply?
The BE and LE stand for Big Endian and Little Endian [1]. Depending on the OS that generated the Identifier and Sequence numbers, they are in Big Endian or Little Endian order. To make checking for missing sequences (or process ID's in case of the Identifier on some OS'es) easier, we now supply both the BE en LE representation.

Cheers,

Sake

[1] http://en.wikipedia.org/wiki/Endianness
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Stephen Fisher
2011-02-24 17:42:47 UTC
Permalink
Post by Keith French
What do the BE & LE signify
When we made those changes, I put more detailed explanations that show
up on the bottom left of the Wireshark window:

Identifer (BE) -> "Identifier (big endian representation) (icmp.ident)"
Identifier (LE) -> "Identifier (little endian representation) (icmp.ident)"

and so on.. I wish more dissector writers would use that area instead of
leaving it blank.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Guy Harris
2011-02-24 18:14:28 UTC
Permalink
Post by Keith French
I have recently seen in Wireshark when looking at an echo request/reply pair, that instead of the identification/sequence numbers used to tie the two packets together, there are now two identifiers and two sequence numbers:-
...or, as others have indicated, one identifier, presented two ways, and one sequence number, presented two ways.
Post by Keith French
& how do you use them to tie up the request & reply?
Look either for matching little-endian values or matching big-endian values.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Loading...