"Obscured " IP Numbers ?

or
   Why is   http://3506561041/
the same as   http://209.1.224.17/   ?

Which is the same as   http://geocities.datacellar.net/

( and now also http://geocities.yahoo.com/home/ )

If you don't have the slightest idea what an IP Number is, you may wish to skim over my IP (Number) Addressing Schemes page first.

If you need a thorough introduction to HEXADECIMAL numbers,
then take this link to a page here called: " What is Hexadecimal ?"

If you take each of the four octets in the IP Number 209.1.224.17 and convert them to Hexadecimal, you'll get the following byte-sized numbers:

Placing each of these byte-sized  Hex numbers next to each other in the same order their decimal equivalents were found in the IP Number will form one large four-byte Hexadecimal number:
D101E011

This is part of the normal process that any Internet communications program must go through to arrive at the 32-bit string of binary digits which is actually used to represent this address inside a computer.

However, if we convert this number into decimal instead, we get:

3506561041

This is sometimes referred to as being this URL's "DWord" ( I don't like using a HEX term to refer to a decimal number, but you'll see it used this way at other web sites; just think of it as a reference to the actual DWord stored in your comptuer as " D101E011 ").

( You can use the Calculator in Windows 95/98/NT to do this conversion;
make sure to check the "Scientific" option under the "View" menu first.)

[ Note: a digital word is considered to be two 8-bit bytes or 16-bits. Therefore, the selection
labeled "Dword" (Double-Word) (see the pic below) refers to four 8-bit bytes or 32-bits. ]


After you've entered the number, select the "Dec" radio button and the
conversion appears immediately in the white box... You can toggle back
and forth between the Decimal and Hexadecimal equivalents now.



Let's try doing a conversion in the opposite direction: Suppose we came across
the obscured  IP address of http://2130706433.  Can you convert this to
it's dotted-decimal form? Enter this Decimal number into your calculator ...




Well. This number should already look familiar to some of you! The 7F is 127 in decimal, and the zeros and one are quite obvious. So we have the normal IP address of: 127.0.0.1. This is the IP number reserved for your own computer and is often referred to as localhost. If you open up a DOS-Window and type in the command ping localhost, you'll probably see that it replies with the line: " Pinging whatever the name of your computer is [127.0.0.1] with 32 bytes of data:"   ( If it doesn't, then enter "ping 127.0.0.1" instead on the command line.)
NOTE: you can ping your own computer even if you are not connected to the Net! This can be very helpful at times.

I have no idea why such a routine ( using a single decimal number for an IP ) was created in the first place, but it appears to work with more Web browsers than just those of Microsoft. At first I thought it might be a required standard for TCP/IP communications packages since this also works in all the DOS console commands which are related to the Net; even the rarely used ftp command! But I've read that Proxy servers don't allow this! Any further information on why these types of URLs are allowed by most Net software would be appreciated.

If you do a ping on 2130706433, you should see the following (proving it's true for at least this command):



Here's an Internet site which will quickly convert any IP address (from it's usual dotted-decimal form) to it's equivalent single-decimal form and vice-versa: http://www.fichtner.net/tools/ip2dword/. This page does not appear to be online at this time!

I recently received a SPAM in my email box which used an obscured IP of:

" http%3a%2f%2f3235415306%2fcheapsite%2f " and so on.

Well, the first thing you need to do is clear things up a bit by converting the punctuation from HEX to readable characters! Any TWO hexadecimal digits following a %-sign are simply the ASCII representations of letters or punctuation marks used on the Net:
3a = :
2f = /
2e = .
20 = blank space
( Look up others on any ASCII chart )

So what we really have here is:   http://3235415306/cheapsite/     etc.
Now you can either use the link above (quicker?) or your calculator: Set it to DWORD in HEX, switch to DEC and insert the decimal IP number then switch back to HEX to get: C0D8850A. This is equivalent to the normal dotted-decimal representation of: 192.216.133.10. From here you could use a number of 'whois' lookup tools to find the domain name and who may own it before complaining to the ISP you got the SPAM from.

If you're really interested in this subject, you have got to visit a Net friend's page called "How to Obscure Any URL -- How Spammers And Scammers Hide and Confuse!" There are a lot more details on his page!
( I just found out that he independently updated his page a while back with some pics of the MS-Calculator similar to the ones you saw here! But there are still enough differences to make studying both of our pages worthwhile .)


Back to The Starman's Index Page.





1