Background: Know: Filter masks , Prerequisites - TCP, ports, IP address, SMTP, source, destination, Recognize:
An applied exampleEdit
Here is the list of the port numbers
The rule 1 is for web: Mask=1 for IP source address and TCP port number;
NotMask=1 for the first 16 bits of the IP source address,
or NotMask=0 for TCP port number;
PktData: IP source address=149.171, TCP port=80.
The rule 2 is for email: Mask=1 for TCP port number;
PktData: TCP port= 25.
Relating to the previous slide: Filter masks,
when NotMask=0, it matches pktData; NotMask=1, mismatch.
So that, when
IP .src=123.45, TCP .dport=80, it matches the rule 1.
IP .src=123.45, TCP .dport=25, it matches the rule 2.
IP .src=149.171, TCP .dport=80, it matches no rule. Because the conditions of IP src address and TCP .dport are contradiction which cannot match NotMask for Rule 1.
IP .src=149.171, TCP .dport=25, it matches the rule 2.