This is an on going project with sniffing protocols.

Working my way through the IP header I started wonder why many of the structs have ihl before the version when in the rfc 791 it shows the version before ihl.  This is the original struct I was playing with also I noticed that the ihl has a bit field of 5, which did not make sense since the word length is 8 bits long.

struct ipheader {
    unsigned char      iph_ihl:5, iph_ver:4;
    unsigned char      iph_tos;
    unsigned short int iph_len;
    unsigned short int iph_ident;
    unsigned char      iph_flag;
    unsigned short int iph_offset;
    unsigned char      iph_ttl;
    unsigned char      iph_protocol;
    unsigned short int iph_chksum;
    unsigned int       iph_sourceip;
    unsigned int       iph_destip;
};
So I started to play with making some modifcations to a struct, with bit fields.
Used  Low Level Operators and Bit Fields   as beginning guide.
 struct ipheader {
   unsigned int       iph_t1:1;
   unsigned int       iph_t2:1;
   unsigned int       iph_t3:1;
   unsigned int       iph_t4:1;
   unsigned int       iph_t5:1;
   unsigned int       iph_t6:1;
   unsigned int       iph_t7:1;
   unsigned int       iph_t8:1;

I created a simple printf statement to seen what it all looked like, and the results at first were a bit confusing. Yes the print statement looks messy but it works.

printf("%x%x%x%x%x%x%x%xn", iph->iph_t1,
iph->iph_t2,
iph->iph_t3,
iph->iph_t4,
iph->iph_t5,
iph->iph_t6,
iph->iph_t7,
iph->iph_t8);

result was -> 10100010

So on the whiteboard broke the result into 4 byte pieces, starting from the left.
1:2:4:8 |  1:2:4:8
1:0:1:0 |  0:0:1:0
   5              4

The word boundary gets filled from the right moves to the left, this understand can be used with the rest of the header that has partial word boundaries such as ecn and flags.