epNimbostratus May 12, 2015Forgive me if I'm confused, but . . .
Wouldn't it be better if this code
binary scan [UDP::payload] @3c sflags
set rcode [expr $sflags & 0xf]
if { $rcode == 0} {
said this instead?
binary scan [UDP::payload] @2c sflags
set qr [expr $sflags & 0x80]
if { $qr == 0} {
My thought is that @3c selects the 4th byte of the UDP::payload, which is actually the RA, Z, and RCODE. When you & 0xf, you do get 0 if it is a query, but only because a query should always have a 0000 RCODE.
Instead, if you select the 3rd byte with @2c, you should get the QR, OPCODE, AA, TC, and RD. A QR of 0 indicates that this is a query, and something we want to inspect. By doing a & 0x80, you should only get a nonzero when it is not a query (128 = 0b10000000).
Is there a reason why you prefer looking at the RCODE and not the QR?
I've learned a lot by reading this code, thanks!
ep