Forum Discussion

paul_adomeit_70's avatar
paul_adomeit_70
Icon for Nimbostratus rankNimbostratus
Dec 07, 2006

Binary Scan

There's not a lot of information out there on how to scan binary tcp data for specific matches. We were having a problem with an app hang if SSL Server hello message went missing on the client side of bigip. I figured I'd write an iRule to 'replicate' the packet loss by inserting another bigip between the client and the real VIP and have it 'lose' packets every once in a while. This gives the app time to start and then break later on.

 

 

The below iRule contains bit's and pieces of ideas from several different iRules.

 

 

 

when RULE_INIT {

 

set a counter so we can selectively drop packets

 

set ::COUNTER 0

 

}

 

 

when CLIENT_ACCEPTED {

 

grab the client IP and port for later logging

 

set client_ip [IP::client_addr]

 

set client_port [TCP::remote_port]

 

}

 

 

when SERVER_CONNECTED {

 

I'm not sure why I have to put this line here but it's needed

 

TCP::collect

 

}

 

 

when SERVER_DATA {

 

read in the data from the server side

 

TCP::collect

 

set a variable to whatever the data is

 

set payload [TCP::payload]

 

next section identifies the packet we want to 'drop'

 

scan the data, take the first 12 bytes and set variable data

 

binary scan $payload H12 data

 

16 is an ssl handshake, 0300 is version 3, the next two bytes

 

are the length, we skip them.

 

the last bytes is the type, 02 is a Server Hello

 

if { ( $data starts_with "160300") && ( $data ends_with "02") } {

 

if we made it here, we've got an SSL server hello packet

 

if { $::COUNTER equals "5" } {

 

The global counter is at 5, reset the counter to 0

 

set ::COUNTER 0

 

Log that we are about to 'drop' the packet

 

log local0. "dropping SSL session $client_ip:$client_port "

 

terminate processing....bye bye packet

 

return

 

}

 

If you are here, we have an SSL server hello but

 

we are going to let this one through

 

log local0. "matched an SSL server hello but letting it through"

 

increment the global counter

 

incr ::COUNTER +1

 

log the counter state just to see that the rule matched 'stuff'

 

log local0. "COUNTER is now $::COUNTER"

 

}

 

if you made it this far, it was not an SSL server hello

 

or it was not time to drop this particular hello

 

release the data to the client side

 

TCP::release

 

}

 

application delivery
dev
devops
iRules
  • Richard_Shuford's avatar
    Richard_Shuford
    Ret. Employee
    Sep 18, 2020

    It seems that the conversion from the old DevCentral website to the new one (in 2019) lost the '#' octothorpe characters that delimit TCL comments.