Primarily, I'm trying to get the source address and dest port from the payload of a Netfilter queue payload (The payload is retrieved using the nfq_get_payload function). The following question asks the same thing and gets a correct answer:
How to extract source and destination port number from packet in queue of iptables
Unfortunately, there's no explanation as to why adding 20 and 22 to the address puts you in the right spot to read the info. I assume this is because of the structure of the data (obviously), but if there's a defined structure, what is it?
The documentation doesn't explicitly explain how the data is formatted, only that 'type of data retrieved by this function will depend on the mode set with the nfq_set_mode() function', but then the docs for set_mode don't mention anything about data type and the source doesn't immediately reveal anything.
I feel like this must be something very central to common network programming structs that I'm missing or not understanding.
Notes: nfq_get_payload function: http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Parsing.html#gaf79628558c94630e25dbfcbde09f2933