where's the tcp payload?

Question

I don't get it.  Why can't I log tcp payload when the following irules are defined?&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;    log local0. "client accepted from [IP::client_addr] on port [TCP::client_port]."
&nbsp;    TCP::collect
&nbsp;}
&nbsp;when SERVER_CONNECTED {
&nbsp;    log local0. "Server [IP::server_addr] connected on port [TCP::server_port]."
&nbsp;    TCP::collect
&nbsp;}    
&nbsp;when CLIENT_DATA {
&nbsp;    set encodingSystem [encoding system]
&nbsp;    log local0. "encoding is $encodingSystem. "
&nbsp;    log local0. "encoding is [encoding system]. "&nbsp;
&nbsp;    set paylen  [TCP::payload length] 
&nbsp;    set payload [TCP::payload] 
&nbsp;    set clientPort [TCP::client_port]
&nbsp;    set clientAddress [IP::client_addr]
&nbsp;    log local0. "TCP (length)payload from ($clientAddress:$clientPort) = ($paylen)$payload"
&nbsp;    set payload [UDP::payload] 
&nbsp;    log local0. "UDP payload: $payload"
&nbsp;    TCP::release
&nbsp;    TCP::collect 
&nbsp;}
&nbsp;when LB_SELECTED {
&nbsp;    set paylen  [TCP::payload length] 
&nbsp;    set payload [TCP::payload] 
&nbsp;    set lbServer [LB::server addr]
&nbsp;    log local0. "Selected $lbServer.  TCP (length)payload is ($paylen)$payload"    
&nbsp;    STREAM::disable
&nbsp;    set server={LB::server name}
&nbsp;    STREAM::expression {@POOL1     @I         @}
&nbsp;    STREAM::enable
&nbsp;    TCP::release
&nbsp;    TCP::collect 
&nbsp;}
&nbsp; This section only logs matches, and should be removed before using the rule in production.
&nbsp;when STREAM_MATCHED {
&nbsp;    log local0. "Matched: [STREAM::match]"
&nbsp;    TCP::release
&nbsp;    TCP::collect 
&nbsp;}&nbsp;
&nbsp;These are the only log entries that are generated (sorted in descending time sequence).&nbsp;
&nbsp;Wed Apr 28 04:43:57 EDT 2010     info     local/tmm     tmm[5293]           Rule replaceVirtualHostName : Selected 10.99.12.223. TCP (length)payload is (0)
&nbsp;Wed Apr 28 04:42:57 EDT 2010     info     local/tmm     tmm[5293]           Rule replaceVirtualHostName : client accepted from 10.99.12.40 on port 3485. &nbsp;
&nbsp; I can't even get irules to fire for the client_data event.  Ultimately, i need to intercept and replace a string in the client request after a pooled server is selected and before it is sent to the server. For now, i just want to see the payload to confirm the expected standard conversation. &nbsp;
&nbsp;Secondly, why does an entire minute expire before the lb_selected event is fired?  Is that because i am using the virtual edition?&nbsp;
&nbsp;I am a novice at this, and so i am hoping someone can tell me that i am doing something basically stupid!&nbsp;
&nbsp;Thanks,&nbsp;
&nbsp;Parke Cummins&nbsp;

hamish · Answer

I've had a quick look using vLTM. And the CLIENT_DATA event fires just fine... When I test from the command line... And assuming there's an EOL sent...  
&nbsp;  
&nbsp; If your data is purely binary though, I think the problem you're running into is the lack of parameter to the TCP::collect command. The VS will be sitting there waiting for more data, because you haven't told it how much to collect before firing the CLIENT_DATA event. 
&nbsp;  
&nbsp; That'll also be the reason I think that the LB_SELECTED is taking 60 seconds to fire... You're having to hit a timeout before the process proceeds... 
&nbsp;  
&nbsp; H

parke_cummins_1 · Answer

Sorry for the delay in reading your response.  thanks for that input.  I did try specifying a byte count with the tcp:collect at some point, but i don't remember the state of the surrounding iRules; so i think there's merit in trying your suggestion again without changing much else.  I'll repost with results. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; parke

unruley_95363 · Answer

Once you call TCP::release (which you are doing initially in the CLIENT_DATA event), the data is released from TCP and no longer available via the TCP::payload command unless new data has arrived and the CLIENT_DATA event has not had a chance to trigger yet (eg: you are evaluating the LB_SELECTED). 
&nbsp;  
&nbsp; I'm very curious why you want to access the TCP payload from the LB_SELECTED event in the first place...   In the sample you posted, you do have the data saved off in a variable. 
&nbsp;  
&nbsp; I am looking into the best way to release just the held connection initiation but continue to hold any data (which is what I think you are wanting). &nbsp;

Forum Discussion

where's the tcp payload?

3 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Where are F5's archived deployment guides?

CVE: Who, What, Where, and When

Large payload post requests aren't responding

HTTP Payload Collection

Payload string based persistence