[cod] CoD2 UDP flood

Marco Padovan evcz at evcz.tk
Fri Feb 24 06:10:36 EST 2012 

Be aware that there are two different ways to talk about offset: packet
offset (includes header) and payload offset (does not include header)

Il 24/02/2012 10:41, Geoff Goas ha scritto:
> You're right, and I see my error. That is frustrating because I have
> no idea why it doesn't work with the offset specified then.
>
> On Fri, Feb 24, 2012 at 4:10 AM, Luca Farflame Fabbro
> <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>
>     Try this command
>     tcpdump -c 4 -nnvvvXS dst port 28960
>     where port is the port that you want to monitor
>     should be something like
>
>             0x0000:  4500 002b 35b3 0000 7511 179b b612 80ad
>      E..+5...u.......
>             0x0010:  c0a8 010c 7012 7120 0017 0000 ffff ffff
>      ....p.q.........
>             0x0020:  6765 7473 7461 7475 730a 0000 0000      
>     getstatus.....
>
>     On Feb 24, 2012, at 9:54 AM, Geoff Goas wrote:
>
>>     That is strange, because if I use those values, it does not work.
>>     If I use "--from 31" alone, then it works. As soon as I change
>>     that to 32, it stops working. When I inspect the packets in
>>     Wireshark, the "getstatus" string starts at offset 48 if counting
>>     from 1. Would there be a way for iptables to print to log what it
>>     sees in the specified offset range?
>>
>>     On Fri, Feb 24, 2012 at 3:28 AM, Luca Farflame Fabbro
>>     <farflame at cybergames.it <mailto:farflame at cybergames.it>> wrote:
>>
>>         It doesn't matter the length of the packet. 
>>         That rule will try to find the string "gestatus" starting at
>>         position 32 bytes from start of packet and searching for it
>>         at maximum at position 41.
>>         The Q3 protocol for that command expects the string to be in
>>         that range.
>>          
>>         On Feb 24, 2012, at 1:11 AM, Geoff Goas wrote:
>>
>>>         Is the offset range of 32-41 based on a 60-byte packet?
>>>
>>>         On Thu, Feb 23, 2012 at 10:34 AM, Marco Padovan
>>>         <evcz at evcz.tk <mailto:evcz at evcz.tk>> wrote:
>>>
>>>             iptables -A INPUT -p udp -m string --string "getstatus"
>>>             --algo bm --from 32 --to 41 -j DROP
>>>
>>>         -- 
>>>         /*Geoff Goas
>>>         Systems Engineer*/
>>>
>>>         _______________________________________________
>>>         cod mailing list
>>>         cod at icculus.org <mailto:cod at icculus.org>
>>>         http://icculus.org/mailman/listinfo/cod
>>
>>
>>         _______________________________________________
>>         cod mailing list
>>         cod at icculus.org <mailto:cod at icculus.org>
>>         http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>     -- 
>>     /*Geoff Goas
>>     Systems Engineer*/
>>
>>     _______________________________________________
>>     cod mailing list
>>     cod at icculus.org <mailto:cod at icculus.org>
>>     http://icculus.org/mailman/listinfo/cod
>
>
>     _______________________________________________
>     cod mailing list
>     cod at icculus.org <mailto:cod at icculus.org>
>     http://icculus.org/mailman/listinfo/cod
>
>
>
>
> -- 
> /*Geoff Goas
> Systems Engineer*/
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120224/03eb6676/attachment.htm>

More information about the cod mailing list