This states to set all bits in the first byte of the IP packet header except for the first 4 bits (which is the version number) to 0
More correctly, it selects the first 4 bits of the first byte of the IP packet header, and returns a value in which the lower 4 bits are zero.
So you are correct, in that tcpdump IP[0] & 0xf0 = 4
will NEVER succeed (as IP[0] & 0xf0
is in the range 0x00
through 0xf0
, with the low-order nibble being 0, so it can NEVER equal 4), and IP[0] & 0xf0 = 0x40
will succeed only if the IP version number in the IP header is 4 (rather than, for example, 6).