I am taking a digital securities class and I dont understand one of the examples on bitmasking.
To find IPv4 packets they say run this command
tcpdump IP[0] & 0xf0 = 4
I believe that this is wrong, the bit mask correctly only selects the first 4 bits of the IP header (which is the version number) and sets all the bits for the internet header length to 0.
But shouldnt the answer be
tcpdump IP[0] & 0xf0 = 0x40
This states to set all bits in the first byte of the IP packet header except for the first 4 bits (which is the version number) to 0 and to only show packets with this value equal to 0100 0000
This states to set all bits in the first byte of the IP packet header except for the first 4 bits (which is the version number) to 0
More correctly, it selects the first 4 bits of the first byte of the IP packet header, and returns a value in which the lower 4 bits are zero.
So you are correct, in that tcpdump IP[0] & 0xf0 = 4 will NEVER succeed (as IP[0] & 0xf0 is in the range 0x00 through 0xf0, with the low-order nibble being 0, so it can NEVER equal 4), and IP[0] & 0xf0 = 0x40 will succeed only if the IP version number in the IP header is 4 (rather than, for example, 6).