another newbie question {Scanned by HJMS}

Tue Jan 27 17:20:51 EST 2004

> -----Original Message-----
> From: Kevin C Miller [mailto:kevinm at andrew.cmu.edu]
> Sent: Tuesday, January 20, 2004 12:06 PM
> To: Furnish, Trever G; Argus List (E-mail)
> Subject: Re: another newbie question {Scanned by HJMS}
> 
> 
> It's just the BPF language that tcpdump and others use.

So it *is* the same as tcpdump?  Odd then that tcpdump has no issue with "!"
(and it's in the tcpdump manual page).  From that page:

Primitives may be combined using:
   A parenthesized group of primitives and operators (parentheses are
special to the Shell and must be escaped).
   Negation (`!' or `not').
   Concatenation (`&&' or `and').
   Alternation (`||' or `or').

But I'll give "not" a try nonetheless - thanks.

> Also, 255.255.0.192 isn't a valid netmask. Do you mean 
> 255.255.255.192 ?

I'm surprised at that statement.  By my understanding of netmasks (which
applies quite well to cisco routers), there is no requirement that the 1's
in a mask be contiguous across octet boundaries.  In a mask, the 1's denote
those bits of the address octets which are not allowed to vary.

So for example, the following "pattern" (address+mask):
1.2.3.4 mask 255.255.0.255

...should match each of the following example addresses:
1.2.1.4
1.2.2.4
1.2.3.4
1.2.4.4
...

...because the third octet is all zeros, meaning all eight bits are allowed
to vary.

And by that logic, all of the three expressions I listed in the original
message define the exact same set of addresses.

> -Kevin
> 
> --On Tuesday, January 20, 2004 11:58 AM -0500 "Furnish, Trever G" 
> <TGFurnish at herff-jones.com> wrote:
> 
> > [root at enterprise u01]# ramon -M Matrix -n -L0 -r 
> /u01/argus.log - dst net
> > 192.168.0.64 mask 255.255.0.192 and ! net 192.168.1.0 mask 
> 255.255.0.0 |
> > wc -l
> >     341
> 
> 
> 
> ---------------------------------------------------
> Kevin C. Miller <kcm at cmu.edu>
> Network Development
> Carnegie Mellon University
> 