Hi netfilter, I'm interested in counting the total number of bytes emitted by a particular application/flow, inlcuding ip+tcp headers. In theory, this is what the counter counts, but the accuracy is broken by GSO. The man page says the following: Careful with matching on ip length: If GRO/GSO is enabled, then the Linux kernel might aggregate several packets into one big packet that is larger than MTU. Moreover, if GRO/GSO maximum size is larger than 65535 (see man ip-link(8), specifically gro_ipv6_max_size and gso_ipv6_max_size), then ip length might be 0 for such jumbo packets. meta length allows you to match on the packet length including the IP header size. If you want to perform heuristics on the ip length field, then disable GRO/GSO. But afaict, disabling GSO will not have any effect on the ip header length field — large packets are still generated with len > mtu and remain intact for all of the netfilter hooks before they are segmented. I think this paragraph should probably be removed. Is it possible to make an accurate count of bytes in netfilter? Thanks, Ronan