print

Tip of the Month

January 2005

Bit by Bit: Using Binary Bit Filters in WildPackets' Products

When we examine fields in the packet headers, most of these are one or more bytes in length. However, some fields, such as various flags, are only 1 bit in length. So there are occasions when we need to filter based on the value of a single bit or a combination of two or more bits. We can do this with a Value filter.

Scenario: We want to examine all TCP connection setup frames. These will be all of the frames in which the TCP SYN flag bit is set to a value of 1.

Before we can build the filter, we must determine the location of the SYN flag within the frame. The TCP flags are the last six bits of the byte at hex offset 0x2F. This byte is formatted as follows:

We are interested in all frames where the SYN flag bit is set to one. Since this would result in a value of 0x02 for this byte, we might be tempted to develop a value filter that will locate all frames with a hex value of 02 at offset 0x2F. This filters would not give us all of the SYN packets since the SYN flag may occur in combination with other flags. To solve this problem, we will build a bit filter to tell the analyzer that we want to see all frames in which the SYN bit is 1, while ignoring the value of the other bits in that byte. We can do so with a Value Filter.

To build our filter, we’ll start by selecting an example packet with the SYN flag set to 1. The procedure for building the filter is as follows:

1. Click on the packet to display it’s decode and hex contents.
2. Right click on the TCP Flags field, and select “Make Filter” from the popup menu. You should now see the advanced filter dialog window.
3. Name the filter “All SYN Packets” and double click the existing filter condition. To specify which data interests us, we will specify a length of 1 byte and an offset of 0x2F.
4. Now we have to create the binary components of our filter.



1. The Mask field defines which bits in the byte interest us. In this example, we are only concerned with the SYN flag bit. The SYN flag is in the 2’s position in the lower nibble, as shown below.
   
   
   

    

   We tell the analyzer which bits interest us by creating a mask. In this mask, each bit that does interest us is set to 1. Those bits that do not interest us are set to 0. In our example, our mask would be: 0000 0010, indicating that only the second bit in the lower nibble is of interest. We convert this to hex to give us a mask of 0x02.
   
   Additional Example: If we were interested in both the SYN and ACK bits, our mask would be 0001 0010, which yields a hex mask of 0x12.
   
   
2. The Value field tells the analyzer what we want the value of the bit(s) of interest to be. In our case, we want to see all packets in which the SYN bit is set to 1. Since our mask instructs the analyzer to ignore the value of all other bits in this byte, the Value field can only take on a value of 0x02, so that is what we will specify to the analyzer.
   
   
3. We also need to add another AND condition to specify that we only want to see TCP protocol packets.
   


5. After entering the length, offset, mask, and value, and after excluding all protocols except TCP, click OK to save the filter.

When we apply this filter, the analyzer will display only those packets with the SYN bit set to 1. There are many ways you could use binary filters e.g. certain types of ICMP packets or quality of service bits. Let your imagination run wild, and I’m sure you’ll find that binary filters are a simple, quick way to search through packets!