I'm trying to write a program to read a pcap file captured in linux (tcpdump version 4.5.1 libpcap version 1.5.3) but I can't get the byte swapping correct. The magic number isn't one of the values I expect (0xa1b2c3d4 or 0xd4c3b2a1) but is 0xc3d4a1b2. the 'file' command correctly identifies it (tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)) and 'tcpdump -r' reads it but I don't understand how. The magic number doesn't look little-endian OR big-endian to me. The hexdump looks like:
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 ffff 0000 0001 0000 6be0 5a87 a747 0008
What byte ordering is this file in?
