Hi Jan, On Fri, Oct 1, 2010 at 5:55 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Saturday 2010-09-25 20:12, Greg Oliver wrote: >>> 19:40:13.666679 IP ghost.29364 > ccs1.25862: UDP, length 13 >>> Â Â Â Â0x0000: Â45b8 0029 95cd 0000 3d11 9c86 c0a8 6476 ÂE..)....=.....dv >>> Â Â Â Â0x0010: Âc0a8 64f1 72b4 6506 0015 bbc9 800d 9f6b Â..d.r.e........k >>> Â Â Â Â0x0020: Â7c06 b562 a690 c613 6400 0000 0000 Â Â Â |..b....d..... >>> >>> 800d is what I want to catch in bytes 27,28... > > But 800D is at position 0x1C = 28 (counting from 0), so > >>> -A INPUT -m u32 --u32 "0>>22&0x3C@6=0x800D" -j LOG --log-prefix "CNOISE: " >>> -A INPUT -m u32 --u32 "26&0xFFFF=0x800D" -j LOG --log-prefix "CNOISE: " > > Â--u32 "28 >> 16 & 0xFFFF = 0x800D" > > or with the IPv4 header, > > Â--u32 "0 >> 22 & 0x3C @ 8 >> 16 & 0xFFFF = 0x800D" Thanks for the response - I will get to try this out tomorrow again. I really do not understand the difference between your rule and the original though. You are going to 28 and reading the next 2 bytes, whereas I am starting at 26 and discarding the first 2 bytes right? I thought I got it all from the __only__ tutorial out there :) And I though I understood it as well, but hey - you never know. Obviously I do not. I'll try it again tomorrow though. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html