On Wednesday 2010-10-06 05:10, Greg Oliver wrote: >>>> 19:40:13.666679 IP ghost.29364 > ccs1.25862: UDP, length 13 >>>> Â Â Â Â0x0000: Â45b8 0029 95cd 0000 3d11 9c86 c0a8 6476 ÂE..)....=.....dv >>>> Â Â Â Â0x0010: Âc0a8 64f1 72b4 6506 0015 bbc9 800d 9f6b Â..d.r.e........k >>>> Â Â Â Â0x0020: Â7c06 b562 a690 c613 6400 0000 0000 Â Â Â |..b....d..... >>>> >>>> 800d is what I want to catch in bytes 27,28... >> >> But 800D is at position 0x1C = 28 (counting from 0), so >> >>>> -A INPUT -m u32 --u32 "0>>22&0x3C@6=0x800D" -j LOG --log-prefix "CNOISE: " >>>> -A INPUT -m u32 --u32 "26&0xFFFF=0x800D" -j LOG --log-prefix "CNOISE: " >> >> Â--u32 "28 >> 16 & 0xFFFF = 0x800D" >> >> or with the IPv4 header, >> >> Â--u32 "0 >> 22 & 0x3C @ 8 >> 16 & 0xFFFF = 0x800D" > >Thanks for the response - I will get to try this out tomorrow again. >I really do not understand the difference between your rule and the >original though. You are going to 28 and reading the next 2 bytes, >whereas I am starting at 26 and discarding the first 2 bytes right? Ah heh, indeed. However, in 0>>22&0x3C@6, you are missing the &0xFFFF portion. As for 28/26.. strange. Maybe some printks can shed light. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html