Hello, Jan, I came up with following u32 rule ,,should I not multiply by 4 for TCP header length to get the offset , as we do for the IP header ? iptables -m u32 --u32 " 0>>22&0x3C@12>>26&0x3C@0&0xFF000000=0x01 && 0>>22&0x3C@12>>26&0x3C@16=0x00000000:0xFFFFFFFF" -j ulog for TOS bits set packet, I am inspecting first byte of TCP payload and if that matches, need to record/log value from 16-19 in the TCP payload. Since a test has to be made, i just compared those byte value to be in the range of all 0's to all FF's.. which obviously it would be ...So, with this test done, the action I would like to do is log those four byte value . 1. My requirement is as stated by Grant, just need to log those four bytes ( ITT value) from the iscsi header. Is there any options in linux space ? With u32 I came so close, yet it was not able to fulfill it. 2. I tried ulog, to provide a option to log interested bytes,, Will cp range provide first few bytes of the packet say 100 bytes ? Can i use this option instead of 0 ? ( caution in the man page says to leave it to 0) Thanks again ,, Padmanabhan -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
