I visited yesican.chsoft.biz and the author proposes a way to match packets by less than some size . Here is the thing: match u16 0x0000 0xffb0 at 2 With this match he says that packet with less than 80 bytes will match the rule. Well, 0xffb0 translates to 1111 1111 1011 0000 (which is -80 BTW). So, if I am correct any packet with bits 4 and/or 5 set (together with any of the 4 LSB''s) will break the rule. They will still be less than 80 bytes. If it is so, packets of lenght, for instance, 16, 32 or 48 (32+16) will not make it. I think the proposed solution only works with (2^n)-1 sized packets. Am I correct or I completely misunderstood it? Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \
Hi Ethy :) * Ethy H. Brito <ethy.brito@inexo.com.br> dixit:> match u16 0x0000 0xffb0 at 2 > > With this match he says that packet with less than 80 bytes will match the rule.That''s right.> Well, 0xffb0 translates to 1111 1111 1011 0000 (which is -80 BTW).It is a mask, not a number (and certainly not a signed one), so there''s no point in considering it -80. It is just a mask.> Am I correct or I completely misunderstood it?You''re right, packet sizes between 16 and 63 (both included) won''t match the rule. Raúl Núñez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It''s my PC and I''ll cry if I want to...
On Mon, 19 Dec 2005 16:21:36 +0100 DervishD <lartc@dervishd.net> wrote:> Hi Ethy :)Hi Dervish.> > Well, 0xffb0 translates to 1111 1111 1011 0000 (which is -80 BTW). > > It is a mask, not a number (and certainly not a signed one), so > there''s no point in considering it -80. It is just a mask.My point in considering it a number is explained by: printf("%hx", -80); this will print 0xffb0 which is the mask in question! So, if you intend to creat a mask for 256 bytes size, you printf it as -256. Regards Ethy
Hi Ethy :) * Ethy H. Brito <ethy.brito@inexo.com.br> dixit:> > > Well, 0xffb0 translates to 1111 1111 1011 0000 (which is -80 BTW). > > > > It is a mask, not a number (and certainly not a signed one), so > > there''s no point in considering it -80. It is just a mask. > > My point in considering it a number is explained by: > > printf("%hx", -80);OK, I just didn''t think about that, sorry :)> So, if you intend to creat a mask for 256 bytes size, you printf it as -256.Only if your C implementation treats negative numbers in 2''s complement ;) Of course, I don''t know of any C implementation where integers don''t use 2''s complement for negative numbers, anyway... Raúl Núñez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It''s my PC and I''ll cry if I want to...