Examine the correctness of filter

Carter Bullard carter at qosient.com
Fri Dec 15 14:25:23 EST 2006 

Hey CS,
Just looked at the code and its correct for it to be:

    and  #31

This is a mask to make all the linktypes available
so that a 8 bit equal will work (#31 is 0x1F).  I at
first thought that was "0x31" which wouldn't make
any sense to me.  I'm still wondering why its not
printed in hex, but that is not important, really.

Hope all is most excellent,

Carter


On Dec 12, 2006, at 8:46 AM, CS Lee wrote:

> Carter,
>
> I don't have problem with it but just learn to read it properly,  
> I'm wondering why it is 31 as well, as it should be 3 where the  
> quantifier located instead.
>
> Thanks.
>
> On 12/12/06, carter at qosient.com <carter at qosient.com> wrote:
> Hey CS,
> The second statement is " and immediate 31 " but it looks like it  
> should be " and immediate 3 ", instead.
>
> Are you having problems?
>
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: "CS Lee" <geek00l at gmail.com>
> Date: Tue, 12 Dec 2006 19:07:40
> To:"Carter Bullard" <carter at qosient.com >
> Cc:Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Examine the correctness of filter
>
> Carter,
>
>   ra -b - tcp
> (000) ldb [142]
> (001) and #31
> (002) jeq #0x1 jt 3 jf 5
> (003) ldb [152]
> (004) jeq #0x6 jt 8 jf 9
> (005) jeq #0x2 jt 6 jf 9
> (006) ldb [179]
> (007) jeq #0x6 jt 8 jf 9
> (008) ret #96
> (009) ret #0
>
> It looks to me that it loads one-byte quantity at an offset of 142.
>
> 001 - Get to 31st byte
> 002 - Compare and see whether it is 0x1, if it is, that's IPv4 
> (quantifier) and jump to instruction 003, if it is not, jump to  
> instruction 005.
> 003 - Load one-byte quantity at an offset of 152
> 004 - Compare and check if it is 0x6(trans proto is tcp for ip), if  
> it is then jump to instruction 008, if it is not then jump to  
> instruction 009
> 005 - Compare and check if it is 0x2 which is IPv6(quantifier) and  
> jump to instruction 006 or if it is not then jump to instruction 009
> 006 - Load one-byte quantity at an offset of 179
> 007 - Compare and check if it is 0x6(trans proto is tcp for ipv6),  
> if it is then jump to 008 or else jump to 009.
> 008 - Return 96 bytes
> 009 - Return nothing
>
> Carter, correct me if i'm wrong as I'm not fully understand all the  
> diagram in argus_def.h file yet. Thanks.
>
>
>
> On 12/12/06, Carter Bullard < carter at qosient.com:  
> <mailto:carter at qosient.com> > wrote:
> Hey CS,
> Sorry I didn't respond.
> The Argus record is defined in ./include/argus_out.h and ./include/ 
> argus_def.h.
> Carter
>
>
>
>
>
>
>
>
> On Dec 3, 2006, at 8:17 PM, CS Lee wrote:
> Hey people,
>
> While reading ra -b output, I come across this -
>
> ra -b - tcp
> (000) ldb [142]
> (001) and #31
> (002) jeq #0x1 jt 3 jf 5
> (003) ldb [152]
> (004) jeq #0x6 jt 8 jf 9
> (005) jeq #0x2 jt 6 jf 9
> (006) ldb [179]
> (007) jeq #0x6 jt 8 jf 9
> (008) ret #96
> (009) ret #0
>
> While this seems not so complicated, however is there any reference  
> of argus data format that I can refer such as the one shown in  
> tcpdump -d which the correctness of filter can be confirmed by  
> looking at the packet headers.
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061215/5dabf0ef/attachment.html>

More information about the argus mailing list