Filtering on a Variable Length Subnet Address (Another Binary Filter)

Previous page
Table of content
Next page

Another type of binary filter can be built to capture traffic to or from a specific network address that is based on a VLSM. Since these addresses do not end on a byte boundary, we need to take the filter definitions and offsets down to the binary level.

For example, Figure 49 shows the results of an address lookup using WildPackets Subnet Calculator (available online at

www.wildpackets.com[10]). In this figure, we can see that there are 4 bits reserved for the subnet address (10nnnnnn.nnnnnnnn.ssss.hhhh.hhhhhhhh).

This address falls inside the subnet 130.57.64.0 with a 255.255.240.0 mask.

click to expand
Figure 49: The Subnet Calculator provides the subnet bit mask for a VLSM address.

At a binary level, all the address within this subnet host address range have the following bit pattern (where “h” is the host portion of the address):

10000010.00111001.0100hhhh.hhhhhhhh = 130.57.65.0

The bold numbers (0100) are the subnet bits.

Since the addresses in this subnet fall in that range (130.57.64.1 through 130.57.79.254), we can’t just filter on the first three bytes or even the first two bytes. In this case, we have to go to binary and filter on all packets to or from IP addresses that contain the 30-bit value 10000010.00111001.0100 at offset 0x0C (source IP address field) or 0x10 (destination IP address field).

Figure 50 shows the two filters used to capture all traffic to or from systems on this subnet. On your analyzer, be certain to OR the two values to look for packets to OR from this subnet.

click to expand
Figure 50: Each filter is built in binary mode to focus on the network and subnet bit values.

Awesome, eh? But, what’s with that offset number and how did I get the binary values for that subnet number?

Well, first, let’s deal with the converting the subnet address 130.57.64.0/255.255.240.0 over to binary.

There are three ways to convert between decimal and binary:

  • Use a conversion chart (see Appendix B).

  • Convert in your head (not that hard... we’ll talk about this later in this section.

  • Use a conversion utility like Hex Workshop[11 ](www.bpsoft.com).

You can certainly go look up the values in the chart in Appendix B, but that won’t make you self-sufficient at hex-binary conversion.[12] I suggest you take a moment and learn how to do the conversion in your head right now.

Here we go.

First, let’s take a typical byte and put a value into each bit position, as shown in Figure 51.


Figure 51: Start by assigning a value to each bit as shown.

Whenever you see a 1 in a bit position, you must add the value shown in Figure 51. If each bit is filled with zero, the decimal equivalent would be zero.

If the bit in the 1-position was set to a 1 (00000001), the decimal equivalent would be 1. If the bit in the 2-position was set to a 1 (00000010), then the decimal value would be 2. If both the 1-position and 2-position bits are set to 1 (00000011), the decimal value is 3. It’s really pretty simple.

In binary, we are only working with 0 and 1. Wherever you see a 1, you add the value of the bit position. So... what would the binary value be for the decimal value 64?

The answer is 01000000. See? The 64-position is set to 1. I know there are much fancier ways to learn this and refer to this process, but this works for me and probably will work for you.

Take a moment and practice doing a conversion or two. Convert the following decimal numbers to binary:

33 = ___________

66 = ___________

199 = ___________

I’m sure you got the right answers![13] Check the footnote to verify your answers.

Now let’s try to do the reverse operation.

00000100 = ___________

10000001 = ___________

11111111 = ___________

I’m sure you got the right answers again![14]

Building binary filters is a necessity as you work on more advanced filters.

[10]This is a really well-designed and developed tool. It was built by Scott Haugdahl for his company, Net3Group. When Scott went to work for WildPackets, they received not only a great engineer/designer, but an array of fantastic complementary tools such as the Subnet Calculator, Packet Scrubber, and ProConvert.

[11 ]I love Hex Workshop -- when email attachments are sent along to me from unknown sources, I open them in hex workshop to look for any suspect code or programmers’ notes. Very interesting stuff... try it - open an executable in Hex Workshop and see what’s in there. Although I love the tool, I’ve had a hell of a time getting BreakPoint Software to respond to requests to put them on “Laura’s Lab Kit.”

[12]I’m just going to assume that you are not going to carry this book with you everywhere you go for the rest of your analysis career. True?

[13]33 = 00010001; 66 = 01000001; 199 = 11000111.

[14]00000100 = 4d; 10000001 = 129d; 11111111 =255.


Previous page
Table of content
Next page
Packet Filtering. Catching the Cool Packets.
Packet Filtering: Catching the Cool Packets
ISBN: 1893939383
EAN: 2147483647
Year: 2000
Pages: 65
Authors: Laura A. Chappell
BUY ON AMAZON
MySQL Stored Procedure Programming
WebLogic: The Definitive Guide
MySQL Cookbook
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy