<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Something I noticed when I was using libpcap natively from C, and
that is OpenVZ VPS's have a 16-byte Ethernet header instead of the
usual 14 byte Ethernet header that a typical physical server has.
Maybe something like that is making a difference in the offset?<br>
<br>
<i>Boyd</i><br>
<div class="moz-signature"><br>
</div>
<br>
On 02/24/2012 05:10 AM, Marco Padovan wrote:
<blockquote cite="mid:4F47702C.8@evcz.tk" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<font size="-1"><font face="Verdana">Be aware that there are two
different ways to talk about offset: packet offset (includes
header) and payload offset</font></font> (does not include
header)<br>
<br>
Il 24/02/2012 10:41, Geoff Goas ha scritto:
<blockquote
cite="mid:CAB8_CqKt=euaic0khRyEDAVW95k8jfv51qOwrGWJTRcMwivvmg@mail.gmail.com"
type="cite">You're right, and I see my error. That is
frustrating because I have no idea why it doesn't work with the
offset specified then.<br>
<br>
<div class="gmail_quote">On Fri, Feb 24, 2012 at 4:10 AM, Luca
Farflame Fabbro <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:farflame@cybergames.it">farflame@cybergames.it</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div>Try this command</div>
tcpdump -c 4 -nnvvvXS dst port 28960
<div>where port is the port that you want to monitor</div>
<div>should be something like</div>
<div><br>
</div>
<div>
<div><font face="'Courier New'"> 0x0000: 4500
002b 35b3 0000 7511 179b b612 80ad E..+5...u.......</font></div>
<div><font face="'Courier New'"> 0x0010: c0a8
010c 7012 7120 0017 0000 ffff ffff ....p.q.........</font></div>
<div><font face="'Courier New'"> 0x0020: 6765
7473 7461 7475 730a 0000 0000 getstatus.....</font></div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:</div>
<div>
<div><br>
<blockquote type="cite">That is strange, because
if I use those values, it does not work. If I
use "--from 31" alone, then it works. As soon as
I change that to 32, it stops working. When I
inspect the packets in Wireshark, the
"getstatus" string starts at offset 48 if
counting from 1. Would there be a way for
iptables to print to log what it sees in the
specified offset range?<br>
<br>
<div class="gmail_quote">On Fri, Feb 24, 2012 at
3:28 AM, Luca Farflame Fabbro <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:farflame@cybergames.it"
target="_blank">farflame@cybergames.it</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">It doesn't
matter the length of the packet.
<div>That rule will try to find the string
"gestatus" starting at position 32 bytes
from start of packet and searching for
it at maximum at position 41.</div>
<div>The Q3 protocol for that command
expects the string to be in that range.<br>
<div> <br>
<div>
<div>
<div>On Feb 24, 2012, at 1:11 AM,
Geoff Goas wrote:</div>
<br>
</div>
<blockquote type="cite">
<div>Is the offset range of 32-41
based on a 60-byte packet?<br>
<br>
<div class="gmail_quote">On Thu,
Feb 23, 2012 at 10:34 AM,
Marco Padovan <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:evcz@evcz.tk"
target="_blank">evcz@evcz.tk</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> iptables
-A INPUT -p udp -m string
--string "getstatus"
--algo bm --from 32 --to
41 -j DROP<br>
<br>
</div>
</blockquote>
</div>
</div>
<div>-- <br>
<i><b><font size="1"><span
style="font-family:tahoma,sans-serif">Geoff
Goas</span><br
style="font-family:tahoma,sans-serif">
<span
style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span
style="font-family:tahoma,sans-serif">Geoff
Goas</span><br
style="font-family:tahoma,sans-serif">
<span
style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<i><b><font size="1"><span style="font-family:tahoma,sans-serif">Geoff
Goas</span><br style="font-family:tahoma,sans-serif">
<span style="font-family:tahoma,sans-serif">Systems
Engineer</span></font></b></i><br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>