This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

View bits of packet in received order?

0

Is there a way to view the bits of any generalized packet in the order of receipt? I'm running into issues understanding what bits should be where in the transmission so I'd like to see exactly what's being sent/received and in what order.

Thanks

asked 28 Jul '16, 10:20

smcfalls's gravatar image

smcfalls
11115
accept rate: 0%

I don't understand your question. Could you elaborate?

(28 Jul '16, 10:24) cmaynard ♦♦

@cmaynard I want completely un-parsed data. Before wireshark has done any manipulations at all.

(28 Jul '16, 12:21) smcfalls

Wireshark doesn't manipulate anything. It just displays decoded information. If you don't need that, look at the hex view, it's what was found on the wire.

(28 Jul '16, 12:58) Jasper ♦♦

@Jasper Interesting. I'm looking at BTLE packets specifically, and I know that bytes are transmitted with the least significant bit first, and the hex view does not reflect this.

(28 Jul '16, 13:14) smcfalls

have you tried looking at the packet contents in a hex editor? It should be identical to the hex view in Wireshark

(28 Jul '16, 13:19) Jasper ♦♦

That's a different issue, not so much related to Wireshark. For each media and protocol, the order of bits in transmission is given, so the hardware and drivers assemble it into bytes the right way and send the message further or store it into file already as a sequence of bytes. Wireshark has no access to the bit order.

(28 Jul '16, 13:24) sindy
showing 5 of 6 show 1 more comments

2 Answers:

2

I'm looking at BTLE packets specifically, and I know that bytes are transmitted with the least significant bit first, and the hex view does not reflect this.

Wireshark runs on computers that are byte-addressed, not bit-addressed; it's bit-parallel, not bit-serial. Networks tend to be bit-serial, so that the notion of bit order is relevant. As memory and processors are bit-parallel, the hardware that receives bits from the wire has to assemble the bits into bytes and put those bytes into memory; that hardware puts the least significant bit of a byte into the least significant bit of a byte, as it should do.

So this isn't a function of Wireshark, or libpcap, or your OS - it's a function of the hardware. For networks in which the least significant bit is transmitted first - which includes an obscure network called "IEEE Std 802.3", sometimes also called "Ethernet" - the first transmitted bit will be at the bottom of a byte in tcpdump, Wireshark, snoop, and almost all, if not all, other network analyzers. You'll just have to live with that - just look at the bytes bottom-bit first.

answered 28 Jul '16, 13:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 28 Jul '16, 13:24

Knowing that debugging at wire level is sometimes a pain and that seeing the bit stream may help reveal e.g. some synchronisation issues, I'd replace @Guy Harris' suggestion to "learn to live with that" by a suggestion to use a script which you would feed with the exported data and it would convert it into a binary dump, maybe both possible ways at once, such as

c7 45 19
MSB first: 11000111 01000101 00011001
LSB first: 11100011 10100010 10011000
(28 Jul '16, 13:35) sindy

Another possibility would be to enhance Wireshark so that the raw data pane has three display modes for the binary data - as bytes, as bits with the high-order bit first, as bits with the low-order bit first.

(28 Jul '16, 13:58) Guy Harris ♦♦

@Guy Harris, I didn't dare to even think about such possibility :-) But as you've come with it yourself, should I file an enhancement at Bugzilla? As the bit order on the wire is unambiguously defined for all encapsulations related to physical interface type (Ethernet, HDLC-based protocols), it'd be fine to augment the parameter set of each encapsulation with that information and have it visualised in the mode switch of the raw data pane.

(29 Jul '16, 02:28) sindy

A bitstream view, which would allow you to show bit masks in the bitstream as well?

(29 Jul '16, 04:44) Jaap ♦

2

If you don't want Wireshark analyzing packets, you can disable all the protocol dissectors via: Analyze -> Enabled Protocols... -> Disable All -> OK.

answered 28 Jul '16, 12:58

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

I'll look into that, thank you. Edit: Helpful, but it doesn't show the actual order of receipt, with least significant bit first. I'm beginning to suspect that the problem is my capture device.

(28 Jul '16, 13:14) smcfalls

I'm looking at BTLE packets specifically, and I know that bytes are transmitted with the least significant bit first, and the hex view does not reflect this.

Now that you added that comment, it helps makes things clearer, and so I think Guy Harris's answer is the one you're looking for.

(28 Jul '16, 13:30) cmaynard ♦♦