Putting a Hex on Address Range Filters
Jeff Trawick, WildPackets Professional Services
In most cases when we build address filters, we look for all traffic to and from a specific address, or pair of addresses. At times we want all the traffic for a given subnet or MAC OUI, so OmniPeek allows address filters with asterisk (*) wildcards. We can also use "slash" notation to specify subnets (e.g. 10.10.7.0/24 for a 24-bit subnet mask). Yet these methods aren't always specific enough to filter for a particular set of nodes. Suppose we need to locate all traffic for nodes with addresses in the range 10.10.7.1 to 10.10.7.30. With a subnet mask of 255.255.255.0, there are 254 possible nodes on the 10.10.7.0 subnet, so a subnet filter is too general for our purposes. We only want to accept packets that are to or from the first 30 IP addresses in the subnet. Even if we used a mask of 255.255.255.254, we would see addresses from 10.10.7.1 to 10.10.7.31, but this would include the broadcast address, which we don't want. Our filter needs to be more specific than any subnet filter we can devise.
While there are several ways to build a viable filter for this purpose, the most direct method is to "put a hex on it!" No real magic is needed, but we convert the IP addresses of interest into hex strings, and use them in Value Filters to find the specified addresses. We convert each byte of the IP addresses into hex, and concatenate the individual bytes into a 4-byte hex value. In this case, the lowest addresse that interests us is 10.10.7.1, which converts to a hex string as follows:
So the minimum value for our IP address range is 0x0A0A0701. The highest IP address we want is 10.10.7.30. Performing the same conversion on this address gives us a maximum value for our address range of 0x0A0A071E.
Remember that you can use the Windows Calculator (or other similar calculator) to do the decimal-to-hex conversions.
Now that we have our minimum and maximum address range values, our filter needs to locate this address range in either the Source Address or Destination Address fields in the IP header. In Ethernet Type II packets, these 4-byte fields begin at offsets 26 and 30, respectively. (Don't forget that these offsets with vary for other frame formats, including wireless packets!) Based on this data, we can now build our filter, which is shown below along with sample Value conditions:
The first conditions, which are shown at right, examine the Source IP Address at offset 26, and find all values >= our minimum range value, and <= our maximum range value. The two remaining Value conditions are identical to the first two, except their offset is set to 30 to evaluate the Destination IP Address. In sum, this filter says: Find all IP packets whose Source Address is within our range OR whose Destination Address is within our range.
This technique would also work for MAC addresses, port numbers, and single- or multi-byte fields where you want to find a range of values. It's so easy, it seems like magic! We'll explore this further in coming tips, but for now, you’re ready to try some magic yourself. Just use this new "hex" to help you build address range filters with ease!