TCP::payload - How do I get data from the TCP data field?

Question

I'm trying to write an iRule that reads the TCP data rather than HTTP data. I'm building it off an HTTP data iRule that works. The first one works as expected. 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp; if {[findstr [HTTP::uri] "user=" 5] == "me" } { 
&nbsp; pool pool1 
&nbsp; } 
&nbsp; else { 
&nbsp; pool pool2 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; The second doesn't seem to get any data; the TCP::payload seems to be a null. 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED {  
&nbsp; if {[TCP::local_port] == 80} {  
&nbsp; TCP::collect 75 
&nbsp; log local0. "Test1[findstr [TCP::payload] "user=" 5]End" 
&nbsp; }  
&nbsp; } 
&nbsp; when CLIENT_DATA {  
&nbsp; if {[findstr [TCP::payload] "user=" 5] == "me"} { 
&nbsp; pool pool1 
&nbsp; } 
&nbsp; else { 
&nbsp; pool pool2 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; When I run this, the ltm log shows .. Test1End, infering the TCP::payload is null. I've tried many other combinations, but no luck so far. Any advice? 
&nbsp;  
&nbsp; thanks ...

joe_pruitt · Answer

You are very close.  Let's take a look at your code piece by piece... 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
   if {[TCP::local_port] == 80} { 
     TCP::collect 75 
     log local0. "Text1[findstr [TCP::payload] "user=" 5]End" 
   } 
 } 
&nbsp;  
&nbsp; The CLIENT_ACCEPTED event is triggered when the client establishes a connection.  At this point there is no data to be processed (we'll there could be but it is not guaranteed).  You must call TCP::collect which you are doing for 75 bytes.  The resulting payload is not available until the CLIENT_DATA event is triggered.  This will occur when the 75 bytes have been received (or portion of if the size is smaller than 75).  At this point you will have access to the TCP::payload data. 
&nbsp;  
&nbsp; when CLIENT_DATA { 
   log local0. "Text1[findstr [TCP::payload] "user=" 5]End" 
   if {[findstr [TCP::payload] "user=" 5] == "me"} { 
     pool pool1 
   } 
   else { 
     pool pool2 
   } 
 } 
&nbsp;  
&nbsp; Note that if you need additional data, you can call TCP::collect from within the CLIENT_DATA event and that will trigger a subsequent CLIENT_DATA event when the additional data is called.  When you access TCP::payload at this point, the content will be the total accumulated payload. 
&nbsp;  
&nbsp; Hope this helps. 
&nbsp;  
&nbsp; -Joe

unruley_95363 · Answer

It needs to be pointed out that there is currently a known issue in v9.0.1 (CR41716) that will prevent making a load-balancing decision in the CLIENT_DATA event from working correctly.  
&nbsp;    
&nbsp;  The problem is that TCP::collect doesn't properly hold the internal accepted event from reaching the proxy.  This results in a load-balancing decision as soon as the TCP connection is established and *before* any data has actually been received.  After the load-balancing decision has occurred and the server-side has been connected, selecting a new pool will have no effect.  
&nbsp;     
&nbsp;  There is possibly a very crazy way to make it work that involves using the LB_SELECTED and USER_RESPONSE events, as well as the TCP::notify and LB::reselect commands.  However, I instead highly recommend getting the impending v9.0.2 release over doing this kind of thing (you're welcome to experiment).  
&nbsp;     &nbsp;

wmazanek_98800 · Answer

Hello,&nbsp;
&nbsp;I used your advices, and all works fin, but... I'm trying to achieve same functionality with ssl client profile enabled. When using the iRule above, the encrypted data is collected which causes the balancing decision impossible.
&nbsp;I wonder if anyone knows what should be done to collect decrypted payload from the ssl traffic which is terminated by ltm.&nbsp;
&nbsp;BR.
&nbsp;w.

geoff_33652 · Answer

I was able to get the above example working with a TCP, but also ran into the same issue as described by wmazanek.  Is the LB selection possible with an iRule on a SSL_TCP virtual server?

spark_86682 · Answer

There's no direct way yet (it's coming, though), so the best you can do is an indirect way. If you're on v9.4.0 or above, you can use the virtual command to direct the decrypted traffic to a standard TCP virtual server where you can then use the usual TCP:: commands to inspect content and make load-balancing decisions. To elaborate, the virtual server that the client connects to will have a clientssl profile, and a very simple iRule that looks like: 
  
 when CLIENT_ACCEPTED { 
   virtual internal_virtual 
 } 
  
 so that the decrypted traffic will be accessible on the "internal_virtual" server. Then, you create that new virtual server (here, named "internal_virtual") and you can just inspect the plaintext content in the usual TCP way: 
  
 when CLIENT_ACCEPTED { 
   TCP::collect 100 
 } 
 when CLIENT_DATA { 
   set payload [TCP::payload] 
   if { $payload contains "magic" } { 
     pool magic_pool 
   } else { 
     pool default_pool 
   } 
 }

If you're on some version before v9.4.0, then the only way to do it is an ugly hack that just simulates the above. If this is the situation you're in, and you can't upgrade, post back and I'll try to write up the instructions, because they're long and ugly.

Forum Discussion

TCP::payload - How do I get data from the TCP data field?

7 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Help with tcp/http payload irule

What is HTML Field Obfuscation?

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

Implementing Data Guard

Net Trunk API Status Field Missing