Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

beefy80's avatar
beefy80
Icon for Nimbostratus rankNimbostratus
Apr 03, 2014

Calculating a two byte header in message payload

Hello I am currently writing a logging event to capture a message but I am finding that by enabling the TCP::collect event the processing is being slowed down by as much as 2 seconds. As the message...
application delivery
devops
irules
LTM
John_Alam_45640's avatar
John_Alam_45640
Historic F5 Account
Apr 04, 2014

James

I would start by collecting only 2 bytes. Convert those from hex to decimal and then collect that number of bytes before you release.

when CLIENT_ACCEPTED {
   TCP::collect 2
   set header_collected "false"
}

when CLIENT_DATA {

   if { not ($header_collected) } {
       Comment out one of the two binary scan lines below.
       use this form if lower order byte is last (big endian order)
      binary scan [TCP::payload] S message_length
       use this form if lower order byte is first (little endian order)
      binary scan [TCP::payload] s message_length

      if { $message_length > 0 } {
         set header_collected "true"
         log local0. "Collecting message with length $message_length"
         TCP::collect $message_length
       }
    } else {
       if we are here the actual message is collected.
      set actual_message_text [TCP::payload]
      TCP::release
    }
 }

Feel free to post what you have and we take a look.

Examples of binary scan:

% binary scan \x02\x00 s var1
1
% puts $var1
2
% binary scan \x00\x03 S var1
1
% puts $var1
3
%

http://tmml.sourceforge.net/doc/tcl/binary.html

HTH.
beefy80's avatar
beefy80
Icon for Nimbostratus rankNimbostratus
Apr 04, 2014
Thank you for this John. I am going to look at this further and will post back how I get on.