This is with respect to a Wireshark Packet Capture Filter.
IP packets whose IP version is not 4
Solution :
Filter:
ip[0] & 0xF0 != 0x40
ip[0] & 1111 0000 != 64
Could anyone please provide clarity on how the above solution could be inferred?
Thanks in advance,
Adam
According to the IPv4 packet structure:
You have the version in the first octet, in the upper nibble. Version for IPv4 packets is "4" as you can see in the picture, but remember it has to be in the upper nibble, hence the 0x40 in the filter (64 in decimal base).
So what your filter do is grab the first byte of the IP header and AND it with 0xF0 to be sure it's keeping the version part (upper nibble) and then check if it is different from 0x40 (IPv4 packet).
What you could also have done is:
ip[0] & 0xf0 == 0x60
Which is the same as saying, keep only IPv6 packets. Version in a IPv6 packet is equal to 6. The position of the version information is the same as for a IPv4 header:
Related
Through an accidental typo I've realized that when you try to reach the ip address 127.0.01 it will successfully route to 127.0.0.1.
Playing around with this, I've noticed that there seems to be some kind of translation happening. Some examples:
127.001 -> 127.0.0.1
127.002 -> 127.0.0.2
127.011 -> 127.0.0.9
127.111 -> 127.0.0.111
127.1111 -> 127.0.4.87
127.9999 -> 127.0.39.15
What's the logic behind these translations? I've tried and replicated this on MacOS, Linux and Windows.
From wikipedia:
When fewer than four numbers are specified in the address in dotted notation, the last value is treated as an integer of as many bytes as are required to fill out the address to four octets. Thus, the address 127.65530 is equivalent to 127.0.255.250.
You can do the calculation yourself to check.
Example:
127.9999 = 01111111. 00000000 00100111 00001111
= 127.0. 39. 15
When I look at the bootloader hex file, the starting address from the word type of the program is 7E00 according to intel-hex format. This is the 3F00. The interesting part starts right now. According to the Atmega328p datasheet, the BOOTS1 and BOOTS2 registers must be set for this to start from 3F00. But when I look at the Arduino Uno fuse settings,
lfuse = 0xff
hfuse = 0xde
efuse = 0x05
is defined as such. In this case . The BOOTS1 and BOOTS2 parameters in the High fuse settings parameter are set as not set.
Is there something I'm missing?
Here is the optibootbootloader.hex file
:107E0000112484B714BE81FFF0D085E080938100F7
:107E100082E08093C00088E18093C10086E0809377
:107E2000C20080E18093C4008EE0C9D0259A86E02C
:107E300020E33CEF91E0309385002093840096BBD3
:107E4000B09BFECF1D9AA8958150A9F7CC24DD24C4
:107E500088248394B5E0AB2EA1E19A2EF3E0BF2EE7
:107E6000A2D0813461F49FD0082FAFD0023811F036
:107E7000013811F484E001C083E08DD089C08234E0
:107E800011F484E103C0853419F485E0A6D080C0E4
:107E9000853579F488D0E82EFF2485D0082F10E0AE
:107EA000102F00270E291F29000F111F8ED06801E7
:107EB0006FC0863521F484E090D080E0DECF843638
:107EC00009F040C070D06FD0082F6DD080E0C81688
:107ED00080E7D80618F4F601B7BEE895C0E0D1E017
:107EE00062D089930C17E1F7F0E0CF16F0E7DF06D8
:107EF00018F0F601B7BEE89568D007B600FCFDCFD4
:107F0000A601A0E0B1E02C9130E011968C91119780
:107F100090E0982F8827822B932B1296FA010C0160
:107F200087BEE89511244E5F5F4FF1E0A038BF0790
:107F300051F7F601A7BEE89507B600FCFDCF97BE46
:107F4000E89526C08437B1F42ED02DD0F82E2BD052
:107F50003CD0F601EF2C8F010F5F1F4F84911BD097
:107F6000EA94F801C1F70894C11CD11CFA94CF0C13
:107F7000D11C0EC0853739F428D08EE10CD085E9AC
:107F80000AD08FE07ACF813511F488E018D01DD067
:107F900080E101D065CF982F8091C00085FFFCCF94
:107FA0009093C60008958091C00087FFFCCF809118
:107FB000C00084FD01C0A8958091C6000895E0E648
:107FC000F0E098E1908380830895EDDF803219F02E
:107FD00088E0F5DFFFCF84E1DECF1F93182FE3DFCA
:107FE0001150E9F7F2DF1F91089580E0E8DFEE27F6
:047FF000FF270994CA
:027FFE00040479
:0400000300007E007B
:00000001FF
You are correct that this high fuse byte of the Arduino Uno is 0xDE; I confirmed that by checking boards.txt.
That means that BOOTSZ is set to 11, which means the bootloader size is 256 words and starts at word 0x3F00 (byte address 0x7E00), as documented in the ATmega328P datasheet (Table 26-7). There is no contradiction.
What is the "CRC value" in the info block of MSP430FR5959 (address 01A02h)?
All specs just say "CRC value" and "per unit". But what is the actual data being checksummed? Device ID? Firmware? Something else?
This User's Guide (SLAU367M) has some clues in section 1.14. Table 6-62 in the datasheet says that the CRC length value is 6, which is the same as the Info length value. And the User's Guide section 1.14.1 explains that Info Length value of 6 means 2^6 = 64 32-bit words or 256 bytes. So I suspect the CRC length is also 256 bytes. And I interpret section 1.14.2 to say that Info length (and presumably CRC length) start from address 0x1A08. So my guess is that the CRC value is calculated over the 256 bytes starting at address 0x1A08.
I used ethereal to capture some packets and I'm trying to make sense of the data. This is the output of 1 of the frames.
0x0000: 4500 003a 4564 4000 4006 df05 0a01 012b E..:Ed#.#......+
0x0010: 0a01 0128 bfcf 3a98 e938 b9c8 e8a0 761f ...(..:..8....v.
0x0020: 8018 05b4 ef33 0000 0101 080a 0005 ff31 .....3.........1
0x0030: 0005 2c31 6865 6c6c 6f0a ..,1hello.
The characters on the right is the ascii representation of the info on the left (Which is hex). The message being sent is "hello" and the rest of the information (or atleast some of it) is the header, right? What's the format of the header? I did some googling and found that this image: http://electronicdesign.com/site-files/electronicdesign.com/files/archive/electronicdesign.com/files/29/2099/figure_03.gif. Is this correct? According to the image, bytes 27-30 (761f 8018) are the destination IP but converting the hex to decimal doesn't end up being my ip. Am I missing something or am I completely wrong? Also how would I find the protocol number?
Are your source ip 10.1.1.43 and destination ip 10.1.1.40?
I believe the info shown is not the ethernet frame, it is an IP package. The first octet is already the IP header.
To get a quick reference to the IP and TCP headers, you can use wiki
http://en.wikipedia.org/wiki/IPv4#Header
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
But if you want more details and reliable information, you should check the RFC directly.
https://www.rfc-editor.org/rfc/rfc791#section-3.1
https://www.rfc-editor.org/rfc/rfc793#section-3.1
If I rearrange your data in a 4 octets per row format
4500 003a total length
4564 4000 fragment
4006 df05 header checksum
0a01 012b source IP
0a01 0128 destination IP
bfcf 3a98 ports
e938 b9c8 seq
e8a0 761f ack
8018 05b4 windows
ef33 0000 checksum
0101 080a
0005 ff31
0005 2c31
6865 6c6c
6f0a
The first octet is 4 so you should be using IPv4. On the 3rd row, the second octet is 6. This is the protocol number for TCP. From these two hints i guess this is IP package not ethernet package.
And about ethereal, Remy is right, Use Wireshare https://www.wireshark.org/
I need to work out the algorithm regarding how you calculate the network and host portion of an IP address.
Is the host ID the public part? Is the network ID the private part for locating the computer within the local network?
If the subnet mask is a value smaller than 255 the corresponding octet in the IP address must be broken down into binary to determine which part of the number is the host ID and which portion is the network ID. Is the result binary number always split in two?
(e.g. An IP address of 192.168.33.22 with a subnet mask of 255.255.224.0 means that the octet holding 33 be broken down as follows: 0010|0001 indicating that 0010 is the network ID portion and 0001 is the host ID portion?)
Thank you in advance for any help.
You're over-complicating things.
IPv4 addresses (and subnet masks) are merely displayed in dot-decimal notation simply as a means of making them more readable to humans. Within the computer, they are simply 4 bytes of contiguous memory (often stored, for example, within a long int):
Stored in computer: 11000000 10101000 00100001 00010110
Displayed for human: 192. 168. 33. 22
Stored in computer: 11111111 11111111 11100000 00000000
Displayed for human: 255. 255. 224. 0
The 1s in the mask indicate bits that identify the network, thus one merely need use a bitwise AND operation to extract the "network number":
address 11000000 10101000 00100001 00010110 192.168.33.22
mask 11111111 11111111 11100000 00000000 255.255.224.0
(AND) ----------------------------------- -------------
network 11000000 10101000 00100000 00000000 192.168.32.0
Since the introduction of CIDR (prior to which the address's class indicated the network/host boundary), hosts usually only know the mask of their own network and are therefore unable to divide arbitrary addresses (e.g. that of a datagram's destination) into network and host numbers.
So what's the point? Well, a source host can still take the bitwise AND of the destination's address and its (the source's) own network mask. Whilst the result of that operation will not necessarily produce a meaningful network number, it will match the source's network number if and only if they are on the same network:
if they match, the destination should be reachable at the link layer (e.g. by looking up its MAC address, perhaps via broadcasting an ARP request, and then encapsulating the datagram in a frame that is addressed to that MAC);
if they differ, the source must send the datagram to a router that is on its own network (using the above process to reach that router); the router will see that the frame is addressed to it, but that the datagram is not, and should then forward the datagram (encapsulated in a different frame) towards the destination. Many hosts only know of one router, their "default gateway", although other configurations are possible.
Those address bits that don't identify the source's network, evidently indicated by 0s in its network mask, can be considered to form its "host number"—although it's really neither meaningful nor useful to extract it in the same way as was done above: even when communicating with a host on one's own network, its full address is used for identification, never the host number alone.
That said, as a purely academic exercise it is of course possible to perform a bitwise AND with the complement of the mask:
address 11000000 10101000 00100001 00010110 192.168.33.22
~mask 00000000 00000000 00011111 11111111 0.0.31.255
(AND) ----------------------------------- -------------
host 00000000 00000000 00000001 00010110 0.0.1.22
So, to address your questions:
Is the host ID the public part? Is the network ID the private part for locating the computer within the local network?
The entire address is "public"; there are no "private" parts. Lookup protocols like ARP (which uses the full address) are used to locate computers within the local network.
If the subnet mask is a value smaller than 255 the corresponding octet in the IP address must be broken down into binary to determine which part of the number is the host ID and which portion is the network ID. Is the result binary number always split in two?
Nothing is "split in two". It only appears that way because dot-decimal notation was intended to make IPv4 addresses more readable to humans (albeit that decision was taken prior to the invention of CIDR, when network numbers were always aligned to byte boundaries and thus never caused the apparent "split" of a decimal number).
Is the host ID the public part? Is the network ID the private part for locating the computer within the local network?
The host and network portions of an ip address have nothing to do with public and private.
If the subnet mask is a value smaller than 255 the corresponding octet in the IP address must be broken down into binary to determine which part of the number is the host ID and which portion is the network ID. Is the result binary number always split in two? ...a subnet mask of 255.255.224.0 means that the octet holding 33 be broken down as follows: 0010|0001...
Your example is wrong. Specifically, you assume that 224 has four consecutive binary bits in it when you spit the 33 octet as 0010|0001 (where | is the division between network and host)...
The octet in the subnet mask containing 224 has three consecutive binary 1s in it: 11100000. Therefore the "network portion" of the whole IP address is: 192.168.32.0. The "host portion" of the ip address is 0.0.1.22. Using your notation, the third octet of ip 192.168.33.22 (mask 255.255.224.0) is: 001|00001.
To get the network portion of an IP address, you must perform a binary AND of the ip address and its netmask. The host portion is a binary AND of the inverted netmask (bits flipped between 0 and 1).
EDIT
Let's make another example to address your comment:
IP Address 192.168.255.22, NetMask 255.255.224.0
The network portion of this address is 192.168.224.0 and the host portion of the address is 0.0.31.22. I intentionally chose the numbers in the example to make the math as obvious as possible. Please convert 224 and 31 to binary, it should make things clear. If not, please reference the wikipedia article on subnetting
Host address portion and network address portion can be easily identified.
Use this trick.
Class A: N.H.H.H
Class B: N.N.H.H
Class C: N.N.N.H
(N= network H=Host)
Class A network range: 1-127
Class B network range: 128-191
Class C network range: 192-223
Reference: https://www.youtube.com/watch?v=ddodZeXUS0w
You can use the following script:
#!/bin/sh
GetNumericIP()
{
ipbin=0
for part in `echo $1 | awk -F'.' '{print $1 " " $2 " " $3 " " $4}'`
do
ipbin=`expr $ipbin \* 256`
ipbin=`expr $ipbin + $part`
done
echo "$ipbin"
}
GetSrtingIP()
{
ipbin=$1
count=0
while [ $count -le 3 ]
do
rem=`expr $ipbin % 256`
ipbin=`expr $ipbin / 256`
if [ -z "$ipstr" ]
then
ipstr=$rem
else
ipstr=`echo ${rem}.${ipstr}`
fi
count=`expr $count + 1`
done
echo $ipstr
}
mask=$2
maskbin=`GetNumericIP $mask`
ip=$1
ipbin=`GetNumericIP $ip`
networkid=$(( $maskbin & $ipbin ))
networkid=`GetSrtingIP $networkid`
echo "networkid = $networkid"