Looking at the UDP traffic from tcpdump, you will see an IP address followed by the port number: xx.xx.xx.xx.yy
So, taking the first packet as an example: the source was 195.189.97.122, in the Ukraine, using source port #57944, and the destination was your IP address at Telus in British Columbia, destination port # 45853.
Taking the second packet as an example, it was from your IP at Telus to another IP at Telus. The destination port was "domain" -- port #53, used for DNS. I assume this is your local Domain Name Server at your ISP. The third packet was the reply.
and so on...
The reason I recommended the "host <remote server>" expression was to reduce your analysis to game traffic, assuming you can determine the address of the game server, or even the netblock it comes from. The host expression can use CIDR notation to capture entire subnets. e.g.: "host 192.168.0.0/8" would log only traffic from the entire 192.168.x.x network.
Quote:
...PF changes the packet dest addr...
|
Really? PF changes the packet destination address from 1234 to what? Your rule for UDP port 1234 (or any other rdr rule) does not show a destination change.
Show me.