Some protocols like Net8 or T3 like to include hostnames / IP addresses in their data segments, like you said, but in order to do a replace, you need to interpret the application protocol. You can perform this two ways, one easy and bad, and one difficult and elegant. 1. Write iptables NAT and conntrack modules for the protocol that you are using. This will allow mangling of anything you like. Although, the work involved can be inhibitive of whatever you are doing this for. 2. You could always hack this and just write a userspace proxy that mangles the packet as it is going through, but this isn't that elegant at all. I tried doing this and it does break some protocols. If you say your protocol, maybe there are other workarounds which we can suggest.
