[cod] CoD2 UDP flood

Geoff Goas gitman at gmail.com
Fri Feb 24 04:41:54 EST 2012 

You're right, and I see my error. That is frustrating because I have no
idea why it doesn't work with the offset specified then.

On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro <
farflame at cybergames.it> wrote:

> Try this command
> tcpdump -c 4 -nnvvvXS dst port 28960
> where port is the port that you want to monitor
> should be something like
>
>         0x0000:  4500 002b 35b3 0000 7511 179b b612 80ad  E..+5...u.......
>         0x0010:  c0a8 010c 7012 7120 0017 0000 ffff ffff  ....p.q.........
>         0x0020:  6765 7473 7461 7475 730a 0000 0000       getstatus.....
>
> On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>
> That is strange, because if I use those values, it does not work. If I use
> "--from 31" alone, then it works. As soon as I change that to 32, it stops
> working. When I inspect the packets in Wireshark, the "getstatus" string
> starts at offset 48 if counting from 1. Would there be a way for iptables
> to print to log what it sees in the specified offset range?
>
> On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro <
> farflame at cybergames.it> wrote:
>
>> It doesn't matter the length of the packet.
>> That rule will try to find the string "gestatus" starting at position 32
>> bytes from start of packet and searching for it at maximum at position 41.
>> The Q3 protocol for that command expects the string to be in that range.
>>
>> On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>
>> Is the offset range of 32-41 based on a 60-byte packet?
>>
>> On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan <evcz at evcz.tk> wrote:
>>
>>>  iptables -A INPUT -p udp -m string --string "getstatus" --algo bm
>>> --from 32 --to 41 -j DROP
>>>
>>> --
>> *Geoff Goas
>> Systems Engineer*
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>
>
> --
> *Geoff Goas
> Systems Engineer*
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>


-- 
*Geoff Goas
Systems Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/2aefe77a/attachment-0001.htm>

More information about the cod mailing list