Why are there multiple IP addresses for a IP object?

Question

In scapy, I see the following.

>>> a=IP(dst="www.slashdot.org/30")
>>> [p for p in a]
[<IP  dst=216.105.38.12 |>,
 <IP  dst=216.105.38.13 |>,
 <IP  dst=216.105.38.14 |>,
 <IP  dst=216.105.38.15 |>]

But I don't see multiple targets with dig. Does anybody know why is it so? What is the "/30" in the above IP command mean?

$ dig www.slashdot.org a +noall +answer
www.slashdot.org.   384 IN  A   216.105.38.15

Answer 1

Subnet Math

The /30 refers to CIDR notation. It is equivalent to a subnet mask of 255.255.255.252. Essentially it's a mask to determine which bits of the IPv4 address are network bits and host bits.

/30 and 216.105.38.15 in binary are

11111111.11111111.11111111.11111100
11011000.01101001.00100110.00001111

To get the network address, you use a binary & to get 216.105.38.12. This subnet consists of all combinations of addresses where the host bits are variable. So these last two bits can be 00, 01, 10, or 11 (i.e. 0, 1, 2, 3). This translates to the .12, .13, .14, .15 we see scapy output.

Scapy classes

Per the scapy IP class (scapy.layers.inet.IP), when you input a subnet for the dest IP (scapy.layers.inet.DestIPField) with dst=, it's interpreted as a subnet (scapy.base_classes.Net), and all addresses in the subnet are returned.

So I will get the same result if I pass the subnet to the Net class.

>>> from scapy.base_classes import Net  # if in Python and not Scapy
>>> a = Net("www.slashdot.net/30")
>>> [p for p in a]
['216.105.38.12', '216.105.38.13', '216.105.38.14', '216.105.38.15']