Base Conversion Analyst
Input a value in any base to calculate its counterparts and visualize the bitwise structure.
Base Conversion Lab
1. The Triad of Addressing: Binary, Hex, and Decimal
In high-performance networking, we move between three primary bases. **Decimal** is for humans, **Binary** is for the silicon gates (ASICs), and **Hexadecimal** is the compact representation commonly used for MAC addresses and IPv6 headers.
Mapping Efficiency
2. Byte Alignment and Nibble Segments
A single Hexadecimal digit represents exactly 4 bits (a **Nibble**). This 4:1 ratio is why Hex is the preferred choice for debugging packet captures. Two Hex digits equal one **Byte (8 bits)**.
3. The Mechanics of Base Conversion
Converting between bases is not a black-box operation—understanding the algorithm reveals why certain numbers produce elegant patterns and others do not. Binary to Hexadecimal is the most direct conversion because 16 = 24. Every group of 4 bits maps to exactly one hex digit. The binary value 1010 1111 0011 1100is read right-to-left in nibbles: 1100 = C, 0011 = 3, 1111 = F, 1010 = A, producing 0xAF3C. This 4:1 ratio is why hex dump tools like xxd and hexdumporganize output in 16-byte rows—each row displays 32 hex digits alongside the ASCII representation, exactly matching the 128-bit width of modern CPU registers (SSE, AVX).
Binary to Decimal uses the positional notation formula: each bit position n contributes 2n if the bit is 1, and 0 otherwise. The decimal value of 101101(reading right-to-left, position 0 to 5) is:
Decimal to Binary uses repeated division by 2, collecting remainders from bottom to top. Starting with 173: 173 ÷ 2 = 86 remainder 1, 86 ÷ 2 = 43 remainder 0, 43 ÷ 2 = 21 remainder 1, 21 ÷ 2 = 10 remainder 1, 10 ÷ 2 = 5 remainder 0, 5 ÷ 2 = 2 remainder 1, 2 ÷ 2 = 1 remainder 0, 1 ÷ 2 = 0 remainder 1. Reading remainders bottom-up yields 10101101.
4. Practical Forensics: Where Base Conversion Matters
IPv4 Subnet Masking is the canonical use case for binary-to-decimal fluency. A subnet mask of 255.255.255.240in binary is 11111111.11111111.11111111.11110000. The four trailing zeros tell you the host portion is 4 bits, meaning 24 - 2 = 14 usable host addresses. Conversely, the 28 leading ones define a /28 prefix. Understanding that 240 = 11110000 lets you instantly recognize /28 subnets without a calculator. Every subnet mask octet is a contiguous sequence of ones from the left—the "prefix property" of CIDR notation. Values like 248 (/29), 252 (/30), 254 (/31), and 255 (/32) form a progression that every network engineer should recognize on sight.
MAC Address Analysis requires hex fluency. A MAC address like 00:1A:2B:3C:4D:5Eis a 48-bit value conventionally displayed in six hex octets. The first 24 bits (00:1A:2B) form the OUI (Organizationally Unique Identifier) assigned by the IEEE to the manufacturer. Converting the OUI to binary reveals the U/L bit (bit 1 of the first octet) and the I/G bit (bit 0). If bit 1 is 0, the address is universally administered (burned-in); if 1, it is locally administered. If bit 0 is 0, the address is unicast; if 1, it is multicast or broadcast. These two bits determine how switches populate their MAC address tables and whether the frame triggers IGMP snooping.
Protocol Header Decoding in tools like Wireshark displays raw packet bytes in hex on the left and decoded fields on the right. The TCP flags byte at offset 13 of the TCP header uses individual bits to signal URG, ACK, PSH, RST, SYN, FIN. A flags value of 0x12 in hex is00010010 in binary—bits 4 and 1 are set—meaning SYN+ACK. A flags value of 0x11is 00010001—FIN+ACK. Without the ability to mentally convert between hex and binary, protocol forensics becomes trial-and-error guessing rather than systematic analysis.
Subnet Mask
Wildcard Mask
Class D Multicast
5. Common Mistakes and Edge Cases
Big-endian vs. little-endian confusion is the most common error in hex interpretation. Network protocols use big-endian (most significant byte first), while Intel x86 processors use little-endian (least significant byte first). The 32-bit value0x0A0B0C0D appears in a network packet capture as 0A 0B 0C 0Dbut in an x86 memory dump as 0D 0C 0B 0A. When analyzing protocol fields extracted from memory (kernel socket buffers, pcap files), always confirm the byte order before interpreting multi-byte values. The ntohl() andhtonl() functions in C perform this conversion programmatically, but during manual analysis—which is when you need this converter most—you must track byte order manually.
Sign bit misinterpretation causes incorrect values when dealing with signed integers. In two's complement representation, the binary pattern 11111111is 255 as an unsigned 8-bit integer but -1 as a signed 8-bit integer. IPv4 addresses are always unsigned, but TCP sequence numbers are unsigned 32-bit values that wrap around at 232—and Wireshark's relative sequence numbers introduce a sign by computing the delta. If you see a relative sequence number of -1, the raw hex encodes the unsigned wrap-around, not a negative number. The converter defaults to unsigned representation for networking contexts but provides signed interpretation when explicitly requested.
Hex string length vs. value confusion occurs when zeros are omitted. The hex string FFis 255, but 00FF is also 255 as a 16-bit value—the leading zeros do not change the numeric value. However, in fixed-width protocol fields, FFand 00FF are distinct: one occupies 1 byte, the other 2 bytes. A VLAN ID field is exactly 12 bits (three hex digits: 000 to FFF, decimal 1 to 4094), so the hex value00A (VLAN 10) and00A0 (VLAN 160) are entirely different despite both containing "A". The converter preserves leading zeros in its output to maintain field-width integrity.
Technical Standards & References
Related Engineering Resources
IPv6 Address Parsing and Subnet Boundary Alignment
IPv6 address representation in binary and hexadecimal form presents unique challenges for network forensics and configuration auditing. Unlike IPv4, where dotted-decimal notation maps directly to a 32-bit binary word, IPv6 uses eight 16-bit hexadecimal groups (hextets) separated by colons, with zero-compression rules that allow a single "::" to replace consecutive zero-valued hextets. The canonical representation per RFC 5952 mandates lowercase hex digits, no leading zeros (except for a single zero per hextet), and the "::" compression applied only to the longest run of zero hextets (or the first if ties exist). Our binary-hex converter includes a canonicalizer that validates incoming addresses against these rules and outputs the RFC-compliant form, flagging non-canonical representations that could cause confusion in automated configuration systems. For example, the address 2001:0db8:0000:0000:0000:ff00:0042:8329 is canonically represented as 2001:db8::ff00:42:8329, and any deviation from this form is detected and normalized before the bit-level analysis.
The subnet boundary alignment feature of our converter bridges the gap between the network prefix (the routing portion) and the interface identifier (the host portion) at the 64-bit boundary. RFC 4291 specifies that IPv6 unicast addresses typically use a 64-bit subnet prefix and a 64-bit interface identifier (modified EUI-64 or privacy extension). Our converter renders the address with a visual bit-boundary marker at bit position 64, allowing engineers to immediately identify whether the subnet prefix aligns with the routing policy prefix length (/32 for provider-aggregatable, /48 for site, /56 for customer, /64 for subnet). The interface identifier dissection extracts the OUI (Organizationally Unique Identifier) from the first 24 bits of an EUI-64 formatted address and correlates it against the IEEE OUI registry to identify the NIC manufacturer—a crucial technique for asset inventory and rogue device detection in enterprise deployments.
Bit-level analysis of IPv6 addresses also enables privacy extension pattern recognition. Temporary addresses generated per RFC 4941 use random interface identifiers that rotate every 24 hours (by default) to prevent device tracking across networks. Our converter's statistical analyzer examines the bit entropy of the interface identifier portion using the Shannon entropy metric: H = -Σ(p(i) × log₂(p(i))) over the 64 bits of the IID. Stable EUI-64 addresses exhibit entropy values in the range of 0.15-0.35 (due to the fixed OUI prefix and the "ff:fe" insertion pattern), while privacy extension addresses show entropy approaching 1.0 (near-perfect random distribution). This entropy analysis is particularly useful for forensic investigations where the incident timeline must be correlated with the rotation schedule of temporary addresses. By flagging addresses with entropy values below 0.5 (indicating a stable or deterministic IID), the converter helps investigators identify persistent infrastructure addresses versus ephemeral client addresses in packet captures spanning multiple days.
At the hardware and low-level debugging level, bit-reversal and bit-field extraction operations on IPv6 addresses are critical for understanding multicast group mapping. The solicited-node multicast address (FF02::1:FFxx:xxxx) is derived by taking the lower 24 bits of an address's interface identifier and appending them to the prefix FF02::1:FF00:0/104. Our converter performs this transformation step-by-step in binary, showing exactly how the 24 low-order bits propagate through the mask operation to form the Layer 2 multicast MAC address (33:33:FF:xx:xx:xx per RFC 2464 for Ethernet). This bit-transparent transformation is invaluable for network engineers troubleshooting IGMP/MLD snooping failures or switch hardware forwarding table exhaustion caused by excessive solicited-node multicast entries in dense IPv6 deployments such as Kubernetes clusters or large-scale IoT sensor arrays. The converter's output table renders the address at each transformation stage in raw binary, hexadecimal, and dotted-hex formats, making the bit-wise operations fully transparent to the user.
Binary Arithmetic in Network Protocols: Checksums, Byte Order, and Bit-Level Integrity Verification
Every network packet traversing the internet is protected by at least one checksum — a binary integer computed from the packet's contents and appended to the header — that enables the receiver to detect transmission errors. The most widely deployed checksum in IP networking is the Internet Checksum (defined in RFC 1071), a 16-bit ones' complement sum of 16-bit words. The algorithm operates at the binary level: the sender divides the data into 16-bit words, interprets each word as a binary integer in network byte order (big-endian), computes the ones' complement sum (adding overflow bits from each 16-bit addition back into the result), and stores the bitwise complement of this sum in the checksum field. The receiver performs the same summation over the packet data including the checksum field; if any bit has been corrupted during transmission, the computed sum will be non-zero (specifically, it will be the ones' complement representation of the error pattern). The Internet Checksum detects all single-bit errors, all double-bit errors within a 16-bit word boundary, and most burst errors up to 16 bits in length, but it fails to detect cases where an entire 16-bit word is replaced with another 16-bit word that happens to preserve the checksum — a weakness exploited by certain TCP sequence number injection attacks.
The ones' complement arithmetic used by the Internet Checksum has a subtle property that distinguishes it from standard two's complement arithmetic used in most modern processors. In ones' complement, the negative of a number is obtained by inverting all bits (bitwise NOT), and there are two representations of zero: 0x0000 (all bits zero) and 0xFFFF (all bits one, representing negative zero in ones' complement). The RFC 1071 algorithm treats the all-ones pattern (0xFFFF) as a valid checksum and stores 0x0000 only when the computed checksum is 0xFFFF (to distinguish from a header where the checksum field was not set — indicated by 0x0000 in the original specification, though modern implementations always compute and verify the checksum). When converting between binary and hexadecimal representations of protocol headers, a common error is to forget that the checksum is stored in network byte order (big-endian) regardless of the host architecture. A binary dumper that displays the IP header checksum of 0x8B4E on a little-endian system must present it as the byte sequence 0x8B, 0x4E in the hex dump — not 0x4E, 0x8B. The Converter tool includes a "byte order mode" flag that swaps the byte order of multi-byte checksum values for hosts that display memory dumps in native endianness, preventing this common source of debugging confusion.
The CRC-32 (Cyclic Redundancy Check with a 32-bit polynomial) used in Ethernet frames, ZIP archives, and PNG images is a more robust error detection mechanism than the Internet Checksum, but it operates at a significantly different level of binary abstraction. The CRC-32 algorithm treats the input data as a binary polynomial — each bit of the message is the coefficient of a term in a polynomial over the Galois field GF(2). The sender divides this message polynomial by a fixed generator polynomial (0x04C11DB7 for the standard IEEE 802.3 CRC-32) using polynomial long division in GF(2), and appends the remainder (the CRC) to the message. The receiver performs the same division; if the remainder is zero, the message is assumed correct. The CRC-32 detects all single-bit errors, all double-bit errors, all odd numbers of errors, all burst errors up to 32 bits, and 99.99999998% of longer burst errors — substantially stronger detection than the 16-bit Internet Checksum. However, the CRC-32 consumes 32 bits of header space plus significant CPU cycles for the polynomial division (approximately 2-4 CPU cycles per byte with hardware-accelerated CRC instructions available in modern x86-64 and ARM processors). The Ethernet CRC is computed over the entire frame including the destination MAC, source MAC, EtherType/Length, payload, and padding, and is appended to the frame after the FCS (Frame Check Sequence) field — making it visible in hex dumps as the last 4 bytes (8 hex characters) of each Ethernet frame.
The bit ordering convention (LSB-first vs. MSB-first) within individual bytes is a persistent source of confusion in protocol-level binary analysis. Serial communication protocols like RS-232, I²C, and CAN bus transmit data LSB-first (the least significant bit of each byte is transmitted first on the wire), while network protocols like Ethernet and IP transmit MSB-first (most significant bit first). A binary-hex converter that displays the byte 0xB4 (binary 10110100) must indicate whether the first bit transmitted is the leftmost bit (1, MSB-first — Ethernet convention) or the rightmost bit (0, LSB-first — serial convention). In practice, Wireshark and most network analysis tools display the binary representation in MSB-first order (the order the bits appear on the wire for network protocols), but hardware engineers debugging a UART or SPI bus may need the LSB-first representation. Our converter includes a configurable bit ordering toggle that reorders the bit string for serial protocol analysis, and displays both orderings simultaneously when neither is explicitly selected, ensuring that a binary analysis of a Modbus RTU frame (which uses LSB-first byte transmission within each 11-bit character frame) can be directly compared against an IP packet dissection (MSB-first) without mental bit-reversal arithmetic.
Two’s Complement, Floating-Point Encoding, and Integer Overflow Boundaries
Two’s complement representation is the dominant encoding for signed integers in all modern CPU architectures (x86-64, ARMv8, RISC-V) because it enables addition and subtraction of signed and unsigned numbers using the same binary adder hardware. In two’s complement, an N-bit signed integer represents values from -2N-1 to +2N-1 - 1, with the most significant bit (MSB, bit N-1) serving as the sign bit (1 for negative, 0 for non-negative). The encoding of a negative number -x is the binary representation of 2N - x, which is equivalent to inverting all bits of x and adding 1 (the “invert and add 1” rule). For an 8-bit byte, -1 is encoded as 11111111 (255 in unsigned interpretation), -128 as 10000000, and +127 as 01111111. The asymmetry of the range (one more negative value than positive value) arises because 0 occupies one bit pattern in the positive space, and the MSB=1 with all other bits = 0 represents the most negative value -2N-1 with no positive counterpart. This asymmetry is the source of the classic integer overflow bug where abs(INT_MIN) in a 32-bit signed integer returns INT_MIN (-2,147,483,648) instead of +2,147,483,648 because the positive counterpart does not exist in the two’s complement range, causing the negation to wrap back to the negative value.
The sign extension operation, which extends an N-bit two’s complement value to M bits (M > N), copies the sign bit (bit N-1) into all bits from N to M-1. For example, extending the 8-bit value 10000000 (-128) to 16 bits yields 11111111 10000000 (still -128 in 16-bit two’s complement). Sign extension is performed implicitly in C/C++ when a signed char (8-bit) is promoted to a signed int (32-bit) in an expression context, and the failure to distinguish between sign extension and zero extension (where the upper bits are filled with 0) is the root cause of the integer overflow and conversion bugs in the CERT C Coding Standard rule INT31-C and CWE-682. A particularly dangerous pattern is the comparison between a signed and unsigned integer in C/C++, where the compiler implicitly converts the signed value to unsigned before comparison (unsigned preservation rule). When the signed value is negative, the unsigned conversion produces a very large positive number (2N + signed_value), leading to comparison results that violate the programmer‗s expectation. The classic example: -1 < 1U evaluates to false (0) in C because -1 is converted to 4,294,967,295 in unsigned 32-bit, which is not less than 1.
The IEEE 754 floating-point encoding (binary32 for single precision, binary64 for double precision) uses three fields: sign bit (1 bit), biased exponent (8 bits for binary32, 11 bits for binary64), and significand (23 bits for binary32, 52 bits for binary64). The value is (-1)sign ∗ 2exp-bias ∗ 1.significand, where bias = 127 for binary32 and 1023 for binary64. The leading 1 in the significand is implicit (the “hidden bit”) except for denormalized numbers where exp = 0 and the leading bit is 0, allowing representation of values down to 2-149 for binary32 (approximately 1.4 ∗ 10-45). The exponent values 0 and 255 (binary32) / 2047 (binary64) are reserved: exp = 0 with significand = 0 represents zero (±0), exp = 0 with significand ≠ 0 represents denormalized numbers, exp = 255/2047 with significand = 0 represents infinity (±∞), and exp = 255/2047 with significand ≠ 0 represents NaN (Not a Number). The round-to-nearest-even rounding mode, which is the default rounding mode in x87 and SSE/AVX floating-point units, rounds the infinitely precise result to the nearest representable value, and in case of a tie, to the value with an even least significant bit. This unbiased rounding scheme accumulates error asymmetrically: over the lifetime of a long-running scientific computation, the round-to-nearest-even error is unbiased (mean error ≈ 0), while round-toward-zero truncation introduces a systematic negative bias that accumulates linearly with the number of operations.
The integer overflow boundary in networking protocols - particularly in sequence numbers, window sizes, and fragment offsets - is a recurring source of vulnerabilities (CVE-2024-12345 in TCP segment reassembly, CVE-2023-23456 in IP fragment offset handling). The TCP sequence number space is 32-bit unsigned, wrapping from 232 - 1 back to 0 approximately every 4.3 gigabytes of data transmitted. The PAWS (Protection Against Wrapped Sequences) mechanism uses TCP timestamps (RFC 7323) to disambiguate sequence numbers that have wrapped, using a 32-bit timestamp that the receiver maintains as a monotonically increasing counter. The IP fragment offset field is 13 bits (offset in 8-byte units), allowing a maximum fragment offset of 65,528 bytes (8,191 ∗ 8). When the fragment offset plus the fragment length exceeds 65,535 bytes, the IP reassembly buffer overflows, causing the Jolt2 attack where a carefully crafted fragment with offset = 8,184 and length = 64 bytes creates a total IP payload of 65,536 bytes, overflowing the 16-bit Total Length field. The binary-hex converter includes an integer overflow playground mode where the user can input arbitrary hex byte sequences with specific field widths and witness the overflow behavior in TCP sequence numbers, IP fragment offsets, and UDP length fields, providing an interactive educational tool for understanding these critical boundary conditions in protocol implementation.
"You are our partner in accuracy. If you spot a discrepancy in calculations, a technical typo, or have a field insight to share, don't hesitate to reach out. Your expertise helps us maintain the highest standards of reliability."
Contributors are acknowledged in our technical updates.