<NFCP>FWIP,2,07/21/2009 7:56:14,SOURCEIP,SOURCEPORT,DESTINATIONIP,DESTINAT IONPORT,,,drop,udp,,,,s-UDP-389,IPADRESS,,0,,11,237,,'21Jul2009 7:56:14:drop:fw1:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={D2A7175A-72F3-11DE-A8B2-5150013FF2F2};mgmt=cma_;date=1247850240;policy_nam e=CMA__20090717-3-HMS]:h-XXX_XXX_ActiveDirectory-1.1.1.1
and i would like to capture
FWIP, SOURCEIP, DESTINATIONPORT UDP 53 or 389, and that its drop,udp,
Andybody help?