binary patterns

Let us consider a notation for binary numbers of the form

[110 :4 4 :8 %h :8*4 %s]

meaning that:

the first 3 bits of the binary number are 110
the next 4 bits taken as a number are equal to (decimal) 4 (i.e. they are 0100)
the next 8 bits are anything, and their value as a number is to be captured as variable h
the next 32 bits constitute an array of 4 groups of 8 bits each, and their value as an array of 4 numbers has to be captured as variable s

This notation is loosely inspired by the notation for binary numbers in the Erlang programming language.

example: IP packets

The structure of (the fixed part of) an IP packet header is:

Bits Val Meaning
---- --- -------------------------------------------------------
:4   4 = IP version (must be 4, for IPv4)
:4   h = length of header (in 32-bit words)
:8   t = type of service (not used)
:16  l = length of packet
:16  i = identification of packet (within fragmented datagrams)
:1   0 = reserved bit, must be zero
:1   f = do not fragment flag
:1   m = more fragments follow flag
:13  o = offset of fragment (within fragmented datagrams)
:8   b = Time To Live (bound on number of hops)
:8   p = protocol
:16  c = checksum
:32  s = source IP address (x.y.z.t)
:32  s = destination IP address (x.y.z.t)

Example 1: decompose a IP packet header according to the above table:

match(iphd, "[:4 4 :4 %h :8 %t :16 %l   :16 %i 0%f%m :13 %o \
               :8 %b :8 %p :16 %c        :8*4 %s :8*4 %d]")

Result:

Example 2: match TCP packets (protocol = 6) on LAN (src & dst = 192.168.x.y):

match(iphd, "[:32 %x  :32 %y  :8 %b :8 6 :16 %c \
               :8*4 [192,168|%i] \
               :8*4 [192,168|%j] ]")

Result: