Background: Know: Filter masks , Prerequisites - TCP, ports, IP address, SMTP, source, destination, Recognize: 

Previous Next

An applied exampleEdit

The example gives the conditions of TCP port 80 (web), UNSW IP address block = 149.171/16, SMTP port 25 (email).

Here is the list of the port numbers

The rule 1 is for web: Mask=1 for IP source address and TCP port number;

NotMask=1 for the first 16 bits of the IP source address,

or NotMask=0 for TCP port number;

PktData: IP source address=149.171, TCP port=80.

The rule 2 is for email: Mask=1 for TCP port number;


PktData: TCP port= 25.

Relating to the previous slide: Filter masks,

when NotMask=0, it matches pktData; NotMask=1, mismatch.

So that, when

IP .src=123.45, TCP .dport=80, it matches the rule 1.

IP .src=123.45, TCP .dport=25, it matches the rule 2.

IP .src=149.171, TCP .dport=80, it matches no rule. Because the conditions of IP src address and TCP .dport are contradiction which cannot match NotMask for Rule 1.

IP .src=149.171, TCP .dport=25, it matches the rule 2.