For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
Apr 16, 2014

Collect data send by BIG-IP to client in iRule

Hi,

 

I'd need to collect data sent by BIG-IP to client in my iRule. I've reading about the TCP::collect and related event CLIENT_DATA but it seems to me that's only useful to collect data sent by client to BIG-IP, but I need to capture just the opposing flow, the data sent by BIG-IP to client in the clientside.

 

Can it be done?

 

Thanks.

 

application delivery
devops
iRules
LTM

6 Replies

  • Angel_Lopez_116's avatar
    Angel_Lopez_116
    Icon for Altostratus rankAltostratus
    Apr 16, 2014

    But SERVER_DATA event is triggered when data is received by pool node in serverside right? I need to collect data sent by BIG-IP to client in clientside at TCP level as I need to perform a binary scan in the collected TCP payload.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 17, 2014

    I need to collect data sent by BIG-IP to client in clientside at TCP level as I need to perform a binary scan in the collected TCP payload.

     

    what about vip targeting vip? in the front end virtual server, use virtual command to send to the back end virtual server. tcp collect can be done on the front end virtual server.

     

    virtual

     

    https://devcentral.f5.com/wiki/iRules.virtual.ashx

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 21, 2014

    The SERVER_CONNECTED event captures traffic returning from the pool member.

    when SERVER_CONNECTED {
    TCP::collect
}
when SERVER_DATA {
    log local0. [TCP::payload]
    TCP::release
    TCP::collect
}

    I do not believe there is an egress event on the client side, other than perhaps HTTP_RESPONSE_RELEASE for HTTP traffic. I'd have to agree with Nitass that you're best approach may be a layered virtual server for interactive processing. If you don't it to be interactive, and this isn't SSL traffic, you could also probably use a client side clone pool and pass that through a layered VIP.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 17, 2014

    Admittedly, the previous post may have been misleading. The CLIENT_ACCEPTED and CLIENT_DATA events are triggered for traffic inbound from the client. The SERVER_CONNECTED and SERVER_DATA events are triggered for traffic outbound from the server. If you want to modify XML in the CS response, you'll find that in the SERVER_DATA event (after a TCP::collect).

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 17, 2014

    Ah, well then you still need a layered LTM VIP in front of your View APM VIP. You'd use an iRule construct similar to this on that "external" VIP:

    when CLIENT_ACCEPTED {        
     point to the internal VIP by name 
    virtual my_internal_view_vip
}    
when SERVER_CONNECTED {    
    TCP::collect
}    
when SERVER_DATA{    
     do whatever you need to do here to replace content coming from the internal VIP (or CS)        

    TCP::release
}