Seaching for string in tcp payload

Aaron,

 

 

 

Here is the tcp payload again

 

 

000 00 02 a5 75 66 21 00 07 0e 47 77 3f 08 00 45 00 ...uf!...Gw?..E. 
0010 00 78 a3 57 40 00 3e 06 89 22 0a af c9 8b 0a af .x.W@.>.."...... 
0020 31 1d 23 40 07 b1 e9 b8 b3 80 df 38 76 16 50 18 1.@.......8v.P. 
0030 ff c8 87 6f 00 00 24 00 00 00 00 00 00 00 00 00 ...o..$......... 
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 
0060 00 00 00 00 06 06 be ef 20 00 0a 00 00 01 38 50 ........ .....8P 
0070 6f 46 00 00 00 00 4f 53 52 56 5f 4f 50 56 41 4c oF....OSRV_OPVAL 
0080 5f 41 4e 59 00 00                               _ANY.. 

 

 

 

The reason I just need the 32bit is because this is the lenght session id the appilcation creates. The format of the id is

 

be ef                     <- 16 bit magic number
20                          <- 8 bit gateway id 
00 0a 00                <- 24 bit session id

 

 

In the iRule I was using the findstr with look for beef and ending in 0001, which worked fine in the test but I have since found out that not all session id will end in 0001. So I want to find the string beef and then get the next 32bit only.

 

 

 

when CLIENT_ACCEPTED {
if {$::debug != 0}{log local0. "Client connection [IP::client_addr]"}
if {$::debug != 0}{log local0. "Collecting TCP Payload"}
 Collect tcp packets coming from client
TCP::collect 
}
when CLIENT_DATA {
if {$::debug != 0}{log local0. "Save payload"}
 Save tcp payload to variable payload
set payload [TCP::payload]

if {$::debug != 0}{log local0. "Convert payload to HEX"}
 Convert payload to HEX so we can search for the string beef
binary scan $payload H* h_payload

if {$::debug != 0}{log local0. "Find the BEEF"}
 Look for the strings beef and get everything between beef and 0001
set g_id [findstr $h_payload beef 4 0001]

if {$::debug != 0}{log local0. "Looking for matching persistence record"}
 Persist using the session id
persist universal $g_id
if {$::debug != 0}{log local0. "BEEF is $g_id"}

if {$::debug != 0}{log local0. "TCP release"}
 Release the tcp connection
TCP::release
}

 

 

Thanks

 

Ian

 

 

PS> Hope this code is easier to read now.