I'm trying to write a program to read a pcap file captured in linux (tcpdump version 4.5.1 libpcap version 1.5.3) but I can't get the byte swapping correct. The magic number isn't one of the values I expect (0xa1b2c3d4 or 0xd4c3b2a1) but is 0xc3d4a1b2. the 'file' command correctly identifies it (tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)) and 'tcpdump -r' reads it but I don't understand how. The magic number doesn't look little-endian OR big-endian to me. The hexdump looks like:
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 ffff 0000 0001 0000 6be0 5a87 a747 0008
What byte ordering is this file in?
It is probably just how the data are displayed. I'm assuming your are using hexdump. By default this program is using a two-byte hexadecimal display, i.e. it is reading two bytes and interprets these as an unsigned short:
$ hexdump file.pcap
0000000 c3d4 a1b2 ...
To get a byte-wise display you can use for example the -C option:
$ hexdump -C file.pcap
00000000 d4 c3 b2 a1 ...
Or you could use xxd:
$ xxd file.pcap
00000000: d4c3 b2a1 ...