Guy,
Thank you for your input. It is much appreciated.
The author, Judy Novack, has been contacted. The series of books I am
working with are
two years old, and these issues have been addressed and corrected in the
current release of material
for the IDS courses.
-----Original Message-----
From: Guy Harris [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 09, 2002 8:30 PM
To: Robert Buckley
Cc: 'Andrew Mann'; [EMAIL PROTECTED];
'[EMAIL PROTECTED]'
Subject: Re: [tcpdump-workers] Filter ip[0] & 0xf0 = 4
On Thu, May 09, 2002 at 11:11:52AM -0400, Robert Buckley wrote:
> So you see where I'm going with this and why I got so confused? I believe
> the author truly believed a mask actually does "discard all bits found
> in the low-order",
He/she is correct in his/her belief.
> but in fact it does not "discard",
> you must take the low order into consideration. Agree or comment?
Disagree.
The problem is, as noted, that it discards the low-order bits, as it
should do, but you then have to compare the *high-order* bits, with
ip[0] & 0xf0 != 0x40
The mask operation does *NOT* move the high-order bits down; it leaves
them where they are.
I have sent mail to "[EMAIL PROTECTED]", who I infer from the page at
http://www.sans.org/VirginiaBeach/track3.php
is the person to whom feedback should be sent, pointing out the error in
the claim that the filter should be "ip[0] & 0xf0 != 4".
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
