How to read a data in the UDP payload ?

This should help get you there:

when RULE_INIT {
   set ::radius_signature [binary format c3 {1 0 0x7d}]
}
when CLIENT_DATA {
   if { [UDP::payload length] > 4 } {
      binary scan [UDP::payload] x1c3 radius_stuff
      if { $radius_stuff == $::radius_signature } {
         node a.b.c.d 123
      }
   }
}

Disclaimer: I have not tested if this rule even loads.

You will likely also want to enable "datagram lb" so that each udp datagram is re-loadbalanced.

Thanks for the irule and your reactivity !

 

 

The data I should retrieve in a payload is a radius Type/Length/Value attribute (variable position). So I must test several data.

 

I have some questions for confirmation (... It's my first use):

 

 

example . Radius/UDP Ethereal

 

-------

 

UDP / 69 51 81 66 07 14 00 85 8d a9 /end UDP

 

begin Radius / 01 01 00 7d 26 ...

 

 

Are the following lines correct?

 

- To load the first 50 octets (for example) bytes of the payload

 

When CLIENT_ACCEPTED { UDP::collect 50 }

 

- If I want to read Radius Lenght : 007d (?)

 

binary scan [UDP::payload] x2a4 Radius_Lengh

 

 

Thank you for your assistance .

Yes, your assumptions are correct. "UDP::collect 50" collects the first 50 octets of the payload (not including the IP/UDP headers).

For the binary scan, I would probably use "I" for the radius length since it is a 4 byte integer stored in big-endian format that you want.

So, try this:

binary scan [UDP::payload] x2I1 Radius_Length

Woops. I just re-read your post and it looks like radius length is really only two bytes so you'll want to use "S" instead:

binary scan [UDP::payload] x2S1 Radius_Length

thanks for the answers,

 

I have 2 problems :

 

- procedure UDP::collect undefined

 

01070151:3: Rule [Irules_Radius_acces] error:

 

line 12: [undefined procedure: UDP::collect] [UDP::collect 50]

 

- When I look at result of UDP::Payload command, I dont see a HEX sequence.

 

ex : "binary scan [UDP::payload] a10 Radius_zone"

 

give Radius_zone = ^A^O\300\200^T\303\217 \303\234^X^Da

 

but this text would have to be read = 0101007d26fc in HEX ...

 

 

UDP::collect is undefined. Since UDP does not guarantee ordering, collecting doesn't make much sense. Use UDP::payload instead. I'm not sure I completely understand your second issue, but you can use the binary format command to convert the binary data to a hex string.

What you are seeing is merely the ascii equivalent of your binary data (as I assume you might have logged it). Follow Dr.Teeth's suggestion of using binary format if you would actually like to see the values in HEX. Probably something like:

log "Packet rcvd: [binary format h* [UDP::payload]]"