Forum Discussion
jdscrymgeour_42
Nimbostratus
NimbostratusTCP Logging all traffic
My rule is basically the same as the below:
when CLIENT_ACCEPTED {
TCP::collect
{
when CLIENT_DATA {
set DATA [TCP::payload]
log local0. "TCP DATA: $DATA"
TCP:...
nitass
Employee
Employeehow do you know CLIENT_DATA is not triggered again?
[root@iris:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.17.33:http
ip protocol tcp
rules myrule
}
[root@iris:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
set DATA [TCP::payload]
log local0. "[IP::client_addr]:[TCP::client_port]|$DATA"
TCP::release
TCP::collect
}
}
[root@iris:Active] config tail -f /var/log/ltm
Oct 18 22:01:06 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Host: 172.28.17.33 Connection: Keep-Alive
Oct 18 22:01:06 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1 Accept: */* Referer: http://172.28.17.33/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Host: 172.28.17.33 Connection: Keep-Alive
Oct 18 22:01:09 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Host: 172.28.17.33 Connection: Keep-Alive
Oct 18 22:01:09 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1 Accept: */* Referer: http://172.28.17.33/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Host: 172.28.17.33 Connection: Keep-Alive
Oct 18 22:01:10 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 11 Jun 2011 00:31:47 GMT If-None-Match: "667a-67-cfb682c0" Host: 172.28.17.33 Connection: Keep-Alive
Oct 18 22:01:10 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53113|GET /dog.gif HTTP/1.1 Accept: */* Referer: http://172.28.17.33/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; BRI/2) Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 24 Feb 2011 07:40:14 GMT If-None-Match: "5d7f-1530-52f31380" Host: 172.28.17.33 Connection: Keep-Alive
