Guy, Thank you for your input. It is much appreciated. The author, Judy Novack, has been contacted. The series of books I am working with are two years old, and these issues have been addressed and corrected in the current release of material for the IDS courses.
-----Original Message----- From: Guy Harris [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 8:30 PM To: Robert Buckley Cc: 'Andrew Mann'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject: Re: [tcpdump-workers] Filter ip[0] & 0xf0 = 4 On Thu, May 09, 2002 at 11:11:52AM -0400, Robert Buckley wrote: > So you see where I'm going with this and why I got so confused? I believe > the author truly believed a mask actually does "discard all bits found > in the low-order", He/she is correct in his/her belief. > but in fact it does not "discard", > you must take the low order into consideration. Agree or comment? Disagree. The problem is, as noted, that it discards the low-order bits, as it should do, but you then have to compare the *high-order* bits, with ip[0] & 0xf0 != 0x40 The mask operation does *NOT* move the high-order bits down; it leaves them where they are. I have sent mail to "[EMAIL PROTECTED]", who I infer from the page at http://www.sans.org/VirginiaBeach/track3.php is the person to whom feedback should be sent, pointing out the error in the claim that the filter should be "ip[0] & 0xf0 != 4". - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe