print

Tip of the Month

May 2002

So Many Questions, So Little Time!

Do I start counting at 1 or 0?
Do I want Hex or Binary?
What bit do I want in this Byte?

These and many other natty questions can be easily answered with WildPackets Analyzers! (Tip: Jump to the end if you don't have enough time to read this through now!)

First, a little background:

Advanced filters are detailed filters possibly focused at a bit level value. Traditionally, when we make a filter at the bit level, we highlight the value in the decode view and see the hex value highlighted in the Hex view. We would count over from the offset value on the left to get the offset for our value. If the bit fell into a byte field that shared bits with other offsets, we would have to define our 'mask.' The Mask is the portion of the Byte that we need to look at to define our value, the rest of the bits we don't care about.

The mask portion is the portion of the bits that are turned on... Each Byte is 8 bits... so 1*8=8 of those 8 bits, each may be on or off (1 or 0):
A mask of 0xFF (decimal 15) means 8 bits of "caring" =11111111
A mask of 0xE0 (decimal 14) means high order bits = 11100000
A mask of 0x0E (decimal 14) low order bits = 00001110

Think of this example as 1111 1111.
The first set of 4 is the high order bits.
The second set of 4 is the low order bits.
Both sets together are 1 Byte.
[For an example, look under the IP header in a decode and find the type field=4 and the length field =5. Now click on the 4 and look in your hex window to see its value highlighted. Click on the 5 and you still see the same "byte" highlighted in the hex window. These values share a byte. The 4 value takes the high-order bits and the 5 takes the low order bits. Turn on the decode offsets "X" (in the decode window on the tool bar) and look at their associated mask.]

The value for the bits to change from binary to decimal is this:

Example:
1010=8+2=10
1110=8+4+2=14
1101=8+4+1=13

The mask portion is what is looked at with a binary "and." For example:
Mask: 1110
Value: 0100
AND together = 0100

Remember:
1 and 1=1
0 and 1=0
1 and 0=0
0 and 0=0

1 means "I care"
0 means "I do not care"

Furthermore, these values are broken from binary to hex (base 16). Hex looks like this 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F,10,11,12,13,14... (you can do more research with these values on your windows calc to see the value in decimal, binary and hex). So Hex E = binary 1110 = decimal 14.

The good news is that WildPackets Analyzers do not require you to do these translations! Right-click (Windows) or Control-Click (MAC) on the desired value and a special menu will appear. Select 'Make Filter' and the value is inserted auto-magically into a new filter, saving you quite a bit of time and unnecessary effort!