Is there a way to view the bits of any generalized packet in the order of receipt? I'm running into issues understanding what bits should be where in the transmission so I'd like to see exactly what's being sent/received and in what order. Thanks asked 28 Jul '16, 10:20  smcfalls showing 5 of 6 show 1 more comments |
2 Answers:
Wireshark runs on computers that are byte-addressed, not bit-addressed; it's bit-parallel, not bit-serial. Networks tend to be bit-serial, so that the notion of bit order is relevant. As memory and processors are bit-parallel, the hardware that receives bits from the wire has to assemble the bits into bytes and put those bytes into memory; that hardware puts the least significant bit of a byte into the least significant bit of a byte, as it should do. So this isn't a function of Wireshark, or libpcap, or your OS - it's a function of the hardware. For networks in which the least significant bit is transmitted first - which includes an obscure network called "IEEE Std 802.3", sometimes also called "Ethernet" - the first transmitted bit will be at the bottom of a byte in tcpdump, Wireshark, snoop, and almost all, if not all, other network analyzers. You'll just have to live with that - just look at the bytes bottom-bit first. answered 28 Jul '16, 13:23  Guy Harris ♦♦ edited 28 Jul '16, 13:24 Knowing that debugging at wire level is sometimes a pain and that seeing the bit stream may help reveal e.g. some synchronisation issues, I'd replace @Guy Harris' suggestion to "learn to live with that" by a suggestion to use a script which you would feed with the exported data and it would convert it into a binary dump, maybe both possible ways at once, such as (28 Jul '16, 13:35) sindy Another possibility would be to enhance Wireshark so that the raw data pane has three display modes for the binary data - as bytes, as bits with the high-order bit first, as bits with the low-order bit first. (28 Jul '16, 13:58) Guy Harris ♦♦ @Guy Harris, I didn't dare to even think about such possibility :-) But as you've come with it yourself, should I file an enhancement at Bugzilla? As the bit order on the wire is unambiguously defined for all encapsulations related to physical interface type (Ethernet, HDLC-based protocols), it'd be fine to augment the parameter set of each encapsulation with that information and have it visualised in the mode switch of the raw data pane. (29 Jul '16, 02:28) sindy A bitstream view, which would allow you to show bit masks in the bitstream as well? (29 Jul '16, 04:44) Jaap ♦ |
If you don't want Wireshark analyzing packets, you can disable all the protocol dissectors via: answered 28 Jul '16, 12:58  cmaynard ♦♦ I'll look into that, thank you. Edit: Helpful, but it doesn't show the actual order of receipt, with least significant bit first. I'm beginning to suspect that the problem is my capture device. (28 Jul '16, 13:14) smcfalls
Now that you added that comment, it helps makes things clearer, and so I think Guy Harris's answer is the one you're looking for. (28 Jul '16, 13:30) cmaynard ♦♦ |
I don't understand your question. Could you elaborate?
@cmaynard I want completely un-parsed data. Before wireshark has done any manipulations at all.
Wireshark doesn't manipulate anything. It just displays decoded information. If you don't need that, look at the hex view, it's what was found on the wire.
@Jasper Interesting. I'm looking at BTLE packets specifically, and I know that bytes are transmitted with the least significant bit first, and the hex view does not reflect this.
have you tried looking at the packet contents in a hex editor? It should be identical to the hex view in Wireshark
That's a different issue, not so much related to Wireshark. For each media and protocol, the order of bits in transmission is given, so the hardware and drivers assemble it into bytes the right way and send the message further or store it into file already as a sequence of bytes. Wireshark has no access to the bit order.