Comments on: Weekend Challenge – Answers http://www.chrisbrenton.org/2009/12/weekend-challenge-answers/ Your source for invisible security bug spray Fri, 12 Aug 2011 18:22:08 +0000 hourly 1 http://wordpress.org/?v= By: jc http://www.chrisbrenton.org/2009/12/weekend-challenge-answers/comment-page-1/#comment-737 jc Thu, 10 Dec 2009 21:24:23 +0000 http://www.chrisbrenton.org/?p=722#comment-737 Makes sense I just want to be difficult ;-) I am trying to see if there is a way of accomplishing this using bit masking. Just realised my previous reply tried to match a nibble not the byte so here goes one last try src net 2001:db8::/122 and ((ip6[23] & 0xF0 = 0x10) or (ip6[23] = 0×20))’ So ip6[23] & 0xF0 = 0x10 (should match decimal 16 - 31) and then ip6[23] = 0x20 should match 32. Or is it time to throw in the towel ?? Makes sense I just want to be difficult ;-)
I am trying to see if there is a way of accomplishing this using bit masking. Just realised my previous reply tried to match a nibble not the byte so here goes one last try
src net 2001:db8::/122 and ((ip6[23] & 0xF0 = 0×10) or (ip6[23] = 0×20))’

So
ip6[23] & 0xF0 = 0×10 (should match decimal 16 – 31) and then ip6[23] = 0×20 should match 32. Or is it time to throw in the towel ??

]]> By: Chris http://www.chrisbrenton.org/2009/12/weekend-challenge-answers/comment-page-1/#comment-726 Chris Wed, 09 Dec 2009 15:09:29 +0000 http://www.chrisbrenton.org/?p=722#comment-726 The filter: ip[23]&F0==1 will look at the four high order bits and match on the *lowest* order bit being set. In other words, the specified value ( 1) would be perceived as decimal and is outside of the mask range. If you run the filter you will see that tcpdump gives you a syntax error. :( Let's look at this last byte in binary to see if that makes the problem any easier. We are trying to match any binary value from: 00010000 - 00100000 The "src net" portion of the filter takes care of ensuring the two high order bits (64 & 128) are set to 0, so we don't have to worry about them. The rest of our filters needs to check to see: 1) Is bit 32 turned on, with all lower order bits turned off (exactly 00100000). or... 2) Is bit 32 turned off, bit 16 turned on, ignoring any lower order bits ( value range is 00010000 - 00011111). So the easiest way to filter on this is to include the greater than and less than primitives. What we want to say is: 00010000 <= VALUE <= 00100000 Now, convert this back to Hex and you get: 0x10 < = VALUE <= 0x20 In tcpdump speak, you write this expression as: ip6[23] >= 0×10 && ip6[23] <= 0×20 or: ip6[23] >= 0×10 and ip6[23] <= 0×20 Make a bit more sense? The filter:
ip[23]&F0==1
will look at the four high order bits and match on the *lowest* order bit being set. In other words, the specified value ( 1) would be perceived as decimal and is outside of the mask range. If you run the filter you will see that tcpdump gives you a syntax error. :(

Let’s look at this last byte in binary to see if that makes the problem any easier.
We are trying to match any binary value from:
00010000 – 00100000
The “src net” portion of the filter takes care of ensuring the two high order bits (64 & 128) are set to 0, so we don’t have to worry about them.
The rest of our filters needs to check to see:
1) Is bit 32 turned on, with all lower order bits turned off (exactly 00100000).

or…

2) Is bit 32 turned off, bit 16 turned on, ignoring any lower order bits ( value range is 00010000 – 00011111).

So the easiest way to filter on this is to include the greater than and less than primitives. What we want to say is:
00010000 < = VALUE <= 00100000

Now, convert this back to Hex and you get:
0x10 < = VALUE <= 0x20

In tcpdump speak, you write this expression as:
ip6[23] >= 0×10 && ip6[23] < = 0×20

or:
ip6[23] >= 0×10 and ip6[23] <= 0×20

Make a bit more sense?

]]> By: jc http://www.chrisbrenton.org/2009/12/weekend-challenge-answers/comment-page-1/#comment-711 jc Sun, 06 Dec 2009 23:15:23 +0000 http://www.chrisbrenton.org/?p=722#comment-711 ok so to match the first nibble of the last byte. (I only want it to match 1 (which yields 16 - 31) will ip6[23] & F0 == 1 do the trick ? ok so to match the first nibble of the last byte. (I only want it to match 1 (which yields 16 – 31) will
ip6[23] & F0 == 1
do the trick ?

]]> By: Chris http://www.chrisbrenton.org/2009/12/weekend-challenge-answers/comment-page-1/#comment-707 Chris Sun, 06 Dec 2009 14:40:08 +0000 http://www.chrisbrenton.org/?p=722#comment-707 Updating my reply due to lack of caffeine: src net 2001:db8::/122 We're masking on 122 bits. This specifies that bits 33 - 122 are equal to 0. ip6[23] & 0xE0 == 0 This filter says bits 121 - 123 must be 0. ip6[23] == 0×20 This filter says bit 123 must be 1. So to just focus on the last byte, your statement says "bits 121 and 122 must be off and (bit 123 must be off or bit 123 must be on)". This gets us close, but what if bit 124 is off? This could match the filter but still put us outside the specified range of addresses. Updating my reply due to lack of caffeine:
src net 2001:db8::/122
We’re masking on 122 bits. This specifies that bits 33 – 122 are equal to 0.
ip6[23] & 0xE0 == 0
This filter says bits 121 – 123 must be 0.
ip6[23] == 0×20
This filter says bit 123 must be 1.

So to just focus on the last byte, your statement says “bits 121 and 122 must be off and (bit 123 must be off or bit 123 must be on)”. This gets us close, but what if bit 124 is off? This could match the filter but still put us outside the specified range of addresses.

]]> By: jc http://www.chrisbrenton.org/2009/12/weekend-challenge-answers/comment-page-1/#comment-703 jc Sun, 06 Dec 2009 09:59:38 +0000 http://www.chrisbrenton.org/?p=722#comment-703 Chris, chiming in late but following along with timtowtdi how about... 'src net 2001:db8::/122 and ((ip6[23] & 0xE0 == 0) or (ip6[23] == 0x20))' Chris,
chiming in late but following along with timtowtdi
how about…
‘src net 2001:db8::/122 and ((ip6[23] & 0xE0 == 0) or (ip6[23] == 0×20))’

]]>