Develop Reference

private IP address classes

according to some references Class C for example can provide 2^8 hosts (mask /24), according to others it can provide 2^16 hosts (mask /16).?
so what is the real mask of C class ??

from the Protocol IPv4 Specification in RFC 791 publication:
Address Formats:
High Order Bits Format Class
--------------- ------------------------------- -----
0 7 bits of net, 24 bits of host a
10 14 bits of net, 16 bits of host b
110 21 bits of net, 8 bits of host c
111 escape to extended addressing mode
-- RFC 791 - Addressing
so, for class C
address | N.N.N.H (N network bit, H hosts bit)
mask | 11111111.11111111.11111111.0000000 (/24)
# of address | 256 (2^8)
# of hosts | 256 (2^8 – 2)
Update
after rechecking the image that was associated with the OP post, I noticed that his confusion comes from Reserved IP addresses notion, and precisely the 192.168.0.0/16address block. and my accepted answer wasn't explaining that properly ^^"
TL;DR:
192.168.0.0/16 isn't a single C class network number with a /16 host mask, but a set of 256 class C network numbers
Explanation
given the my original answer.
C class addresses form:
110xxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
+------------------------+.+------+
net host
C class addresses range
net host
+-------------------------+.+------+
from: 110 00000.00000000.00000000.00000000 (192.0.0.0)
to : 110 11111.11111111.11111111.11111111 (223.0.0.0)
+++ -----.--------.--------.--------
form this whole range, there are reserved IP addresses blocks, for various propose. cf. reserved IP addresses blocks
among this reserved blocks there is:
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
reserved for Private Network according to RFC 1918, and defined as: "a set of 256 contiguous class C network numbers.".So:
192.168/16
192.168.0.0/24 (254 host)
...
192.168.255.0/24 (254 host)
You can visualize it as:
net host
+-------------------------+.+------+
+++ -----.--------.--------.-------- <- C class
from: 110 00000.10101000.00000000.00000000 (192.168.0.0)
to : 110 11111.10101000.11111111.11111111 (192.168.255.255)
+++ +++++.++++++++.--------.-------- <- /16 mask

Wireshark Capture Filter Example

This is with respect to a Wireshark Packet Capture Filter.
IP packets whose IP version is not 4
Solution :
Filter:
ip[0] & 0xF0 != 0x40
ip[0] & 1111 0000 != 64
Could anyone please provide clarity on how the above solution could be inferred?
Thanks in advance,
Adam

According to the IPv4 packet structure:
You have the version in the first octet, in the upper nibble. Version for IPv4 packets is "4" as you can see in the picture, but remember it has to be in the upper nibble, hence the 0x40 in the filter (64 in decimal base).
So what your filter do is grab the first byte of the IP header and AND it with 0xF0 to be sure it's keeping the version part (upper nibble) and then check if it is different from 0x40 (IPv4 packet).
What you could also have done is:
ip[0] & 0xf0 == 0x60
Which is the same as saying, keep only IPv6 packets. Version in a IPv6 packet is equal to 6. The position of the version information is the same as for a IPv4 header:

how do i open a .mrstd file format?

I am trying to open a file used by a reading application on my Kindle HD, and I am trying to export the ton of highlights that i have within the app.
When opening the .mrstd file with sublime text it looks like :
"504b 0304 1400 0808 0800 a46a 8e45 0000
0000 0000 0000 0000 0000 1d00 0000 636f
6d2e 666c 7965 7273 6f66 742e 6d6f 6f6e
7265 6164 6572 2f6c 6962 2f03 0050 4b07
0800 0000 0002 0000 0000 0000 0050 4b03" and on and on.
what is this & how do i crack it?
please,
thank you,
nicoara

TL;DR it's a zip file.
In linux, you can use the command "file" which will try to identify the file format.
I asked the same question you did, so I ran file a.mrstd and got a.mrstd: Zip archive data, at least v2.0 to extract
If you have windows instead, you can run linux commands using WSL, google for it.

Determine the network and host ID portion of an IP address

I need to work out the algorithm regarding how you calculate the network and host portion of an IP address.
Is the host ID the public part? Is the network ID the private part for locating the computer within the local network?
If the subnet mask is a value smaller than 255 the corresponding octet in the IP address must be broken down into binary to determine which part of the number is the host ID and which portion is the network ID. Is the result binary number always split in two?
(e.g. An IP address of 192.168.33.22 with a subnet mask of 255.255.224.0 means that the octet holding 33 be broken down as follows: 0010|0001 indicating that 0010 is the network ID portion and 0001 is the host ID portion?)
Thank you in advance for any help.

You're over-complicating things.
IPv4 addresses (and subnet masks) are merely displayed in dot-decimal notation simply as a means of making them more readable to humans. Within the computer, they are simply 4 bytes of contiguous memory (often stored, for example, within a long int):
Stored in computer: 11000000 10101000 00100001 00010110
Displayed for human: 192. 168. 33. 22
Stored in computer: 11111111 11111111 11100000 00000000
Displayed for human: 255. 255. 224. 0
The 1s in the mask indicate bits that identify the network, thus one merely need use a bitwise AND operation to extract the "network number":
address 11000000 10101000 00100001 00010110 192.168.33.22
mask 11111111 11111111 11100000 00000000 255.255.224.0
(AND) ----------------------------------- -------------
network 11000000 10101000 00100000 00000000 192.168.32.0
Since the introduction of CIDR (prior to which the address's class indicated the network/host boundary), hosts usually only know the mask of their own network and are therefore unable to divide arbitrary addresses (e.g. that of a datagram's destination) into network and host numbers.
So what's the point? Well, a source host can still take the bitwise AND of the destination's address and its (the source's) own network mask. Whilst the result of that operation will not necessarily produce a meaningful network number, it will match the source's network number if and only if they are on the same network:
if they match, the destination should be reachable at the link layer (e.g. by looking up its MAC address, perhaps via broadcasting an ARP request, and then encapsulating the datagram in a frame that is addressed to that MAC);
if they differ, the source must send the datagram to a router that is on its own network (using the above process to reach that router); the router will see that the frame is addressed to it, but that the datagram is not, and should then forward the datagram (encapsulated in a different frame) towards the destination. Many hosts only know of one router, their "default gateway", although other configurations are possible.
Those address bits that don't identify the source's network, evidently indicated by 0s in its network mask, can be considered to form its "host number"—although it's really neither meaningful nor useful to extract it in the same way as was done above: even when communicating with a host on one's own network, its full address is used for identification, never the host number alone.
That said, as a purely academic exercise it is of course possible to perform a bitwise AND with the complement of the mask:
address 11000000 10101000 00100001 00010110 192.168.33.22
~mask 00000000 00000000 00011111 11111111 0.0.31.255
(AND) ----------------------------------- -------------
host 00000000 00000000 00000001 00010110 0.0.1.22
So, to address your questions:
Is the host ID the public part? Is the network ID the private part for locating the computer within the local network?
The entire address is "public"; there are no "private" parts. Lookup protocols like ARP (which uses the full address) are used to locate computers within the local network.
If the subnet mask is a value smaller than 255 the corresponding octet in the IP address must be broken down into binary to determine which part of the number is the host ID and which portion is the network ID. Is the result binary number always split in two?
Nothing is "split in two". It only appears that way because dot-decimal notation was intended to make IPv4 addresses more readable to humans (albeit that decision was taken prior to the invention of CIDR, when network numbers were always aligned to byte boundaries and thus never caused the apparent "split" of a decimal number).

Is the host ID the public part? Is the network ID the private part for locating the computer within the local network?
The host and network portions of an ip address have nothing to do with public and private.
If the subnet mask is a value smaller than 255 the corresponding octet in the IP address must be broken down into binary to determine which part of the number is the host ID and which portion is the network ID. Is the result binary number always split in two? ...a subnet mask of 255.255.224.0 means that the octet holding 33 be broken down as follows: 0010|0001...
Your example is wrong. Specifically, you assume that 224 has four consecutive binary bits in it when you spit the 33 octet as 0010|0001 (where | is the division between network and host)...
The octet in the subnet mask containing 224 has three consecutive binary 1s in it: 11100000. Therefore the "network portion" of the whole IP address is: 192.168.32.0. The "host portion" of the ip address is 0.0.1.22. Using your notation, the third octet of ip 192.168.33.22 (mask 255.255.224.0) is: 001|00001.
To get the network portion of an IP address, you must perform a binary AND of the ip address and its netmask. The host portion is a binary AND of the inverted netmask (bits flipped between 0 and 1).
EDIT
Let's make another example to address your comment:
IP Address 192.168.255.22, NetMask 255.255.224.0
The network portion of this address is 192.168.224.0 and the host portion of the address is 0.0.31.22. I intentionally chose the numbers in the example to make the math as obvious as possible. Please convert 224 and 31 to binary, it should make things clear. If not, please reference the wikipedia article on subnetting

Host address portion and network address portion can be easily identified.
Use this trick.
Class A: N.H.H.H
Class B: N.N.H.H
Class C: N.N.N.H
(N= network H=Host)
Class A network range: 1-127
Class B network range: 128-191
Class C network range: 192-223
Reference: https://www.youtube.com/watch?v=ddodZeXUS0w

You can use the following script:
#!/bin/sh
GetNumericIP()
{
ipbin=0
for part in `echo $1 | awk -F'.' '{print $1 " " $2 " " $3 " " $4}'`
do
ipbin=`expr $ipbin \* 256`
ipbin=`expr $ipbin + $part`
done
echo "$ipbin"
}
GetSrtingIP()
{
ipbin=$1
count=0
while [ $count -le 3 ]
do
rem=`expr $ipbin % 256`
ipbin=`expr $ipbin / 256`
if [ -z "$ipstr" ]
then
ipstr=$rem
else
ipstr=`echo ${rem}.${ipstr}`
fi
count=`expr $count + 1`
done
echo $ipstr
}
mask=$2
maskbin=`GetNumericIP $mask`
ip=$1
ipbin=`GetNumericIP $ip`
networkid=$(( $maskbin & $ipbin ))
networkid=`GetSrtingIP $networkid`
echo "networkid = $networkid"

tcpdump vs tcpflow (or "why isn't tcpdump ASCII packet data human readable?")

I have used both, and I conclude that I can read html data from webpages with tcpflow but cannot do so with tcpdump. The best I get is some ugly ASCII text with lots of period symbols.
My understanding is that tcpdump doesn't reassemble packets, whereas tcpflow does. But if that was the key difference, wouldn't the packet data from tcpdump still be human readable - just in smaller chunks? Is the problem that tcpdump is limited to ASCII and most network traffic is encoded in UTF-8?
I'm a rookie on network analysis/programming so forgive me if I'm missing something obvious.

To get that encrypted data one should use tcpdump with option tcpdump –A (capital a). It transfers text without any headers and is used mainly for web pages. Hence we get response page easily.
I think you are getting confused between an application layer and transport layer packet.
I do not know about tcpflow but tcpdump capture the whole packet (including header and all other stuff) not just the data.The html data which you are mentioning would be in the data part of a tcp/udp/icmp packet whichever you are using and so it needs you to understand the structure of tcp/udp/icmp packet as well ...
I capture this packet on my machine and HTML data is clearly visible , you need to write script to get it from the output with a knowledge of packet structure.
16:15:17.968325 IP 172.31.9.84.80 > 172.31.9.177.56559: P 2575928381:2575928808(427)
ack 65285447 win 1716 <nop,nop,timestamp 21031622 15165633>
0x0000: 4500 01df 66fd 4000 4006 66d8 ac1f 0954 E...f.#.#.f....T
0x0010: ac1f 09b1 0050 dcef 9989 8c3d 03e4 2d47 ..... P.....=..-G
0x0020: 8018 06b4 1a2a 0000 0101 080a 0140 eac6 .....*.......#..
0x0030: 00e7 68c1 4854 5450 2f31 2e31 2032 3030 ..h.HTTP/1.1.200
0x0040: 204f 4b0d 0a44 6174 653a 2046 7269 2c20 .OK..Date:.Fri,.
0x0050: 3130 204a 756c 2032 3030 3920 3130 3a32 10.Jul.2009.10:2
0x0060: 303a 3136 2047 4d54 0d0a 5365 7276 6572 0:16.GMT..Server
0x0070: 3a20 4170 6163 6865 2f32 2e30 2e35 3220 :.Apache/2.0.52.
0x0080: 2852 6564 2048 6174 290d 0a4c 6173 742d (Red.Hat)..Last-
0x0090: 4d6f 6469 6669 6564 3a20 4672 692c 2031 Modified:.Fri,.1
0x00a0: 3020 4a75 6c20 3230 3039 2030 393a 3331 0.Jul.2009.09:31
0x00b0: 3a30 3420 474d 540d 0a45 5461 673a 2022 :04.GMT..ETag:."
0x00c0: 3266 6231 3333 2d37 372d 6131 3935 3436 2fb133-77-a19546
0x00d0: 3030 220d 0a41 6363 6570 742d 5261 6e67 00"..Accept-Rang
0x00e0: 6573 3a20 6279 7465 730d 0a43 6f6e 7465 es:.bytes..Conte
0x00f0: 6e74 2d4c 656e 6774 683a 2031 3139 0d0a nt-Length:.119..
0x0100: 4b65 6570 2d41 6c69 7665 3a20 7469 6d65 Keep-Alive:.time
0x0110: 6f75 743d 3135 2c20 6d61 783d 3130 300d out=15,.max=100.
0x0120: 0a43 6f6e 6e65 6374 696f 6e3a 204b 6565 .Connection:.Kee
0x0130: 702d 416c 6976 650d 0a43 6f6e 7465 6e74 p-Alive..Content
0x0140: 2d54 7970 653a 2074 6578 742f 6874 6d6c -Type:.text/html
0x0150: 3b20 6368 6172 7365 743d 4953 4f2d 3838 ;.charset=ISO-88
0x0160: 3539 2d31 0d0a 0d0a 3c68 746d 6c3e 0a0a 59-1....<html>..
0x0170: 3c62 6f64 793e 0a49 6e64 6961 6e20 696e <body>.Indian.in
0x0180: 7374 6974 7574 6520 6f66 2074 6563 686e stitute.of.techn
0x0190: 6f6c 6f67 7920 2e2e 2e2e 2e20 7468 6973 ology.......this
0x01a0: 2069 7320 7468 6520 7465 7374 2070 6167 .is.the.test.pag
0x01b0: 652e 0a3c 4120 6872 6566 3d22 6164 2e68 e..<A.href="ad.h
0x01c0: 746d 6c22 3e61 6263 643c 2f41 3e0a 0a3c tml">abcd</A>..<
0x01d0: 2f62 6f64 793e 0a3c 2f68 746d 6c3e 0a /body>.</html>.
The last 7-8 lines describe the html data.
use -s0 to capture whole frame and -X to print in above ASCII human readable format.
To get that encrypted data one should use TCPDUMP with option –A (capital a). It transfers text without any headers and is used mainly for web pages. Hence we get response page easily.
For eg:
I request index.html to 172.31.9.84 at port 80
Then I requested GET/index.html (an example page that contains only text “Indian institute of technology this is the test page”)
At this moment when I captured packets I got something as:
Request:
18:10:42.387426 IP 172.31.9.177.42943 > 172.31.9.84.80:
P 1:15(14) ack 1 win 46 <nop,nop,timestamp 6644101 353753635>
E..B.G#.#........T...P^R.Mb.L.....ke.....
.ea....#GET /index.html
Response:
18:10:42.388127 IP 172.31.9.84.80 > 172.31.9.177.42943: P 1:53(52)
ack 15 win 1448 <nop,nop,timestamp 353758368 6644101>
E..h..#.#.8m..T.. ..P..b.L.^R.[....d......
.....ea.<html>
<body>
Indian institute of technology this is the test page
</body>
</html>

When trying to get HTTP data using tcpdump, you will see clear text in ASCII if you apply the -A option. However, a HTTP data is almost always compressed with gzip mode or other. You can see it in headers:
Content-Encoding: gzip, compress, bzip2
Thus, tcpdump will output in your screen several bytes and they are the compressed data!!! You will need to use tshark or wireshark to see flat data. Then your problem isn't UTF8.
You can test tcpdump data display disabling deflate module in Apache web server.
Hope this help.