diff --git a/init.d/windivert.filter.examples/windivert_part.wireguard.txt b/init.d/windivert.filter.examples/windivert_part.wireguard.txt
index 890444e..bf62026 100644
--- a/init.d/windivert.filter.examples/windivert_part.wireguard.txt
+++ b/init.d/windivert.filter.examples/windivert_part.wireguard.txt
@@ -1,3 +1,3 @@
-udp.PayloadLength=148 and udp.Payload[0]=0x01 or
-udp.PayloadLength=92 and udp.Payload[0]=0x02 or
-udp.PayloadLength=64 and udp.Payload[0]=0x03
\ No newline at end of file
+udp.PayloadLength=148 and udp.Payload32[0]=0x01000000 or
+udp.PayloadLength=92 and udp.Payload32[0]=0x02000000 or
+udp.PayloadLength=64 and udp.Payload32[0]=0x03000000
diff --git a/nfq2/protocol.c b/nfq2/protocol.c
index 5e94138..1962e3d 100644
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -1378,24 +1378,24 @@ bool IsDNSResponse(const uint8_t *data, size_t len)
 }
 bool IsWireguardHandshakeInitiation(const uint8_t *data, size_t len)
 {
-	return len==148 && data[0]==1;
+	return len==148 && pntoh32(data)==0x01000000;
 }
 bool IsWireguardHandshakeResponse(const uint8_t *data, size_t len)
 {
-	return len==92 && data[0]==2;
+	return len==92 && pntoh32(data)==0x02000000;
 }
 bool IsWireguardHandshakeCookie(const uint8_t *data, size_t len)
 {
-	return len==64 && data[0]==3;
+	return len==64 && pntoh32(data)==0x03000000;
 }
 bool IsWireguardData(const uint8_t *data, size_t len)
 {
 	// 16 bytes wg header + min 20 bytes for ipv4 encrypted header + 16 byte auth tag
-	return len>=52 && data[0]==4;
+	return len>=52 && pntoh32(data)==0x04000000;
 }
 bool IsWireguardKeepalive(const uint8_t *data, size_t len)
 {
-	return len==32 && data[0]==4;
+	return len==32 && pntoh32(data)==0x04000000;
 }
 bool IsDht(const uint8_t *data, size_t len)
 {