Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 03-30-2009, 09:16 PM   #1
LQ Newbie
Registered: Feb 2006
Posts: 6

Rep: Reputation: 0
Blocking UDP packet

I want to deny a particular malicious UDP packet. I can readily identify this packet from the rest by looking at the data section, where data offset 2 is 0xaa, data[5] is 0xbb, etc. Are there any tools or code samples that can do this?

Basically, instead of seeing the packet in the following tcpdump, I want to block it. I started to write a proxy but realized I would need to keep sessions and that's a nightmare. Is there an easier way to do this? The firewalls I've seen only block based on port, not on data payload.

tcpdump -i eth1 udp[2:1] = 0xaa and udp[5:2] = 0xbbcc
Old 04-01-2009, 02:46 AM   #2
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Not all firewalls are just based on port and stuff, iptables can match by strings. Take a look at the man page or run the command
iptables -m string -h
Old 04-01-2009, 01:42 PM   #3
LQ Newbie
Registered: Feb 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Originally Posted by datopdog View Post
Not all firewalls are just based on port and stuff, iptables can match by strings. Take a look at the man page or run the command
iptables -m string -h
Yeah, I finally found a way to do it in ip tables, although it's not often documented.

iptables -m string --hex-string "0xaabb" --from <byte> --to byte --algo bm


iptables -m u32 --u32 "Start&Mask=Range"

And that's working great for me. Are there anything similar on the windows platform?
Old 04-08-2009, 04:07 AM   #4
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
From man:/iptables:

U32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths.

(Please note: This match requires kernel support that might not be available in official Linux kernel sources or Debian's packaged Linux kernel sources. And if support for this match is available for the specific Linux kernel source version, that support might not be enabled in the current Linux kernel binary.)

Details and examples are in the kernel module source.
N.B. the underlined note -- this may not be available to all readers.

No thread on iptables would be complete w/o links to
Oskar Andreasson's (<>) Iptables Tutorial found at:

There is an unnumbered "pretty" version at



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to get destination address of UDP packet? andreyk Programming 7 08-01-2013 09:41 AM
udp packet loss problem vlyamtse Linux - Networking 2 02-12-2008 08:59 AM
How to read UDP packet payload ? sceadu Programming 2 02-07-2006 09:00 PM
UDP packet oss dazdaz Linux - Networking 2 04-05-2004 01:30 PM
UDP: short packet markus1982 Linux - Security 4 08-12-2003 08:03 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:01 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration