Re: string and u32 modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jan,

On Fri, Oct 1, 2010 at 5:55 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
>
> On Saturday 2010-09-25 20:12, Greg Oliver wrote:
>>> 19:40:13.666679 IP ghost.29364 > ccs1.25862: UDP, length 13
>>> Â Â Â Â0x0000: Â45b8 0029 95cd 0000 3d11 9c86 c0a8 6476 ÂE..)....=.....dv
>>> Â Â Â Â0x0010: Âc0a8 64f1 72b4 6506 0015 bbc9 800d 9f6b Â..d.r.e........k
>>> Â Â Â Â0x0020: Â7c06 b562 a690 c613 6400 0000 0000 Â Â Â |..b....d.....
>>>
>>> 800d is what I want to catch in bytes 27,28...
>
> But 800D is at position 0x1C = 28 (counting from 0), so
>
>>> -A INPUT -m u32 --u32 "0>>22&0x3C@6=0x800D" -j LOG --log-prefix "CNOISE: "
>>> -A INPUT -m u32 --u32 "26&0xFFFF=0x800D" -j LOG --log-prefix "CNOISE: "
>
> Â--u32 "28 >> 16 & 0xFFFF = 0x800D"
>
> or with the IPv4 header,
>
> Â--u32 "0 >> 22 & 0x3C @ 8 >> 16 & 0xFFFF = 0x800D"

Thanks for the response - I will get to try this out tomorrow again.
I really do not understand the difference between your rule and the
original though.  You are going to 28 and reading the next 2 bytes,
whereas I am starting at 26 and discarding the first 2 bytes right?

I thought I got it all from the __only__ tutorial out there  :)   And
I though I understood it as well, but hey - you never know.  Obviously
I do not.

I'll try it again tomorrow though.

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux