TCPDUMP: Bitmasking [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 8 years ago.

Improve this question

I am taking a digital securities class and I dont understand one of the examples on bitmasking.

To find IPv4 packets they say run this command

tcpdump IP[0] & 0xf0 = 4

I believe that this is wrong, the bit mask correctly only selects the first 4 bits of the IP header (which is the version number) and sets all the bits for the internet header length to 0.

But shouldnt the answer be

tcpdump IP[0] & 0xf0 = 0x40

This states to set all bits in the first byte of the IP packet header except for the first 4 bits (which is the version number) to 0 and to only show packets with this value equal to 0100 0000

Answer 1

This states to set all bits in the first byte of the IP packet header except for the first 4 bits (which is the version number) to 0

More correctly, it selects the first 4 bits of the first byte of the IP packet header, and returns a value in which the lower 4 bits are zero.

So you are correct, in that tcpdump IP[0] & 0xf0 = 4 will NEVER succeed (as IP[0] & 0xf0 is in the range 0x00 through 0xf0, with the low-order nibble being 0, so it can NEVER equal 4), and IP[0] & 0xf0 = 0x40 will succeed only if the IP version number in the IP header is 4 (rather than, for example, 6).