Hi Peter, right, a generic filter is needed because the built-in IP filter only looks at (src|dst) addresses and ports, not the packet length. A UDP packet is embedded in an IP packet, i.e. the IP header comes first, then the UDP header, then the UDP data if any. The filter has to check 2 values: a) from the IP header, it checks if the packet is an UDP packet b) from the UDP header it checks the length field So we chain 2 filters (More=Yes in the first filter). OK let's go. The 10th byte in the IP header contains the protocol type ID byte which for UDP must be 17 dec = 0x11. Filters Name=filter-name Input filters... In filter 01 Generic... Forward=No Offset=9 Length=1 Mask=FF 00 00 00 00 00 00 00 Value=11 00 00 00 00 00 00 00 Compare=Equals More=Yes Now the UDP part. The header is 8 bytes long, byte 5+6 contain the length of the UDP packet in bytes _including_ the header. So the minimum length is 8 dec=0x8. In filter 02 Generic... Forward=No Offset=24 Length=2 Mask=FF FF 00 00 00 00 00 00 Value=00 08 00 00 00 00 00 00 Compare=Equals More=No And at last the ususal forward all... In filter 03 Generic... Forward=Yes Offset=0 Length=0 Mask=00 00 00 00 00 00 00 00 Value=00 08 00 00 00 00 00 00 Compare=Equals More=No Comments: 1. For all offsets I assume that the ASCEND filters deal with IP packets. IP packets carry an Ethernet header of 14 bytes length which I did not take into account. I am too dumb to find this piece of information in the ASCEND docs. 2. The IP header length _usually_ is 20 bytes but can be longer. Bits 5-8 of the IP header contain the number of bytes of the IP header and are assumed to be 0x5 here. AFAIK we cannot read this value to use it as an offset in a filter. Workaround: test this value and branch if not equal to 0x5. Do not mention fragmentation which may occur with UDP packets. 3. And yes, while writing this, the length of the IP datagram is also contained in the IP header itself (byte 3+4). We could test this for a value of 28 dec=0x1C. Again, if the IP header contains options the header itself will be longer than this and the filter will fail. Advantage: less CPU load. By sheer coincidence ASCEND allows to test for 8 byte values and the two fields span 8 bytes exactly: In filter 01 Generic... Forward=No Offset=2 Length=8 Mask=FF FF 00 00 00 00 00 FF Value=00 1C 00 00 00 00 00 11 Compare=Equals More=No followed by the forward-all filter as above. 4. Decide for Input or Output filter yourself depending on which interface you apply it to. 5. All information from the excellent "TCP/IP Illustrated, Vol. 1" by W. Richard Stevens, Addison-Wesley, pages 34 and 144. Best regards, Wolfgang Peter Lalor wrote: > I need to write a filter to drop zero-length UDP packets. I believe > this can be done with a generic filter, but I haven't played with > those for awhile. _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- B · E · N · E · I · C · K · E EDV-Beratung ________________________________________________________________________ Netzwerk-Design Remote Access und WAN-Lösungen Storage-Lösungen (RAID, libraries, NAS/SAN) COMPAQ Server und PC Windows NT Implementation und Administration Dr. Wolfgang Beneicke fon +49-6223-97 07 20 Fasanenstrasse 16, D-69251 Gaiberg (Heidelberg) fax +49-6223-97 07 21 _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com Archives: http://www.nexial.com/mailinglists/