> When text > wraps the boundary of one packet netfilter can no longer help, some > form of reassembly is required before the "full" text can be read and > taken into context. Apparently when you use the QUEUE extension the packet is re-assembled before the packet is passed to the userspace application. This makes proper filtering and detection possible. You still have to track the entire session from userspace if you want to be accurate, but that depends on what userspace tool you're plugging into. I know of Snort and Squid which have 'inline' modes. These programs should have some ability to filter out the garbage.
