Ian_Johnson_382
Jan 06, 2012Nimbostratus
Seaching for string in tcp payload
Hi All,
I am looking at creating an iRule to perform persistence based on a 32bit value in the tcp payload. I have create a iRule which is using the findstr to perform this and it is working, but I would like to have the iRule just gather 32bit of data.
The information I am looking for is always after the hex be ef here is an example
0000 00 02 a5 75 66 21 00 07 0e 47 77 3f 08 00 45 00 ...uf!...Gw?..E.
0010 00 78 a3 57 40 00 3e 06 89 22 0a af c9 8b 0a af .x.W@.>.."......
0020 31 1d 23 40 07 b1 e9 b8 b3 80 df 38 76 16 50 18 1.@.......8v.P.
0030 ff c8 87 6f 00 00 24 00 00 00 00 00 00 00 00 00 ...o..$.........
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 06 06 be ef 20 00 0a 00 00 01 38 50 ........ .....8P
0070 6f 46 00 00 00 00 4f 53 52 56 5f 4f 50 56 41 4c oF....OSRV_OPVAL
0080 5f 41 4e 59 00 00 _ANY..
I have create an iRule using the findstr but I would like to just find be ef and take 32bits after that. Is this possible?
Here is the current iRule
when CLIENT_ACCEPTED {
if {$::debug != 0}{log local0. "Client connection [IP::client_addr]"}
if {$::debug != 0}{log local0. "Collecting TCP Payload"}
Collect tcp packets coming from client
TCP::collect
}
when CLIENT_DATA {
if {$::debug != 0}{log local0. "Save payload"}
Save tcp payload to variable payload
set payload [TCP::payload]
if {$::debug != 0}{log local0. "Convert payload to HEX"}
Convert payload to HEX so we can search for the string beef
binary scan $payload H* h_payload
if {$::debug != 0}{log local0. "Find the BEEF"}
Look for the strings beef and get everything between beef and 0001
set g_id [findstr $h_payload beef 4 0001]
if {$::debug != 0}{log local0. "Looking for matching persistence record"}
Persist using the session id
persist universal $g_id
if {$::debug != 0}{log local0. "BEEF is $g_id"}
if {$::debug != 0}{log local0. "TCP release"}
Release the tcp connection TCP::release
}
Thanks
Ian