[pcap-ng-format] Encoding IPv4 addresses in block/option fields

[Hadriel Kaplan]

[changing the subject from "Some questions about the pcapng draft"]

On Wed, Jul 22, 2015 at 9:22 AM, Jasper Bongertz <jasper at packet-foo.com> wrote:
> Wednesday, July 22, 2015, 3:10:51 PM, Hadriel Kaplan wrote:
>
>> 2) Are IPv4 address fields in all blocks/options always encoded in
>> network byte order? (since some programs internally represent them as
>> a uint32_t, this should be indicated in the draft)
>
> Good question - I think so far they are, but it is a good idea to
> specify this specifically. We must not mix representations here.

Looking at Wireshark, for the IPv4 in NRB records: it appears to
always write it in network order, but unfortunately on reading it
swaps the bytes if the SHB byte order is different from local host
order. (a bug)
Wireshark neither reads nor writes IDB IPv4 address options today.

Ntar does not support NRBs, but for the IDB IPv4 address option, it
appears to write it in native host order, but byte-swaps it when
reading it if the SHB byte order is not local host order. (also a bug)
It's not clear what ntar considers local host order for IPv4 address
to be, however. (i.e., if it's in network order internally)

Libpcap provides an API to write NRB records, and it appears to write
the NRB IPv4 address in big-endian/network-order format. (since it
memcpy's a struct in_addr, which is in network order)
Libpcap does not appear to support reading/writing the IPv4 option in the IDB.

So unless someone objects, I'm going to update the draft to say to
treat it as four uint8 bytes (i.e., big-endian/network-order).

-hadriel

p.s. if you'd like to test your own program, there are two files on
https://wiki.wireshark.org/Development/PcapNg - one called
"dhcp_little_endian.pcapng" and one called "dhcp_big_endian.pcapng",
which are the same file encoded in the identified endianess. Both have
the NRB's IPv4 address of 127.0.0.1 encoded in network order.