Check for String in TCP Payload from a specific position

Question

&nbsp;
Hi Guys,&nbsp;
 &nbsp;
I’m new here, as well as with F5 systems. Though basic load balancing is okay, I have this requirement where I believe iRules would be of big help.  From the TCP payload, I need to base my load balancing from a specific 6-byte information in a specific position.&nbsp;
Here’s a sample payload, I need to search (underlined) info, to know (in string) if this is 000001 and decide load balancing from there. In some cases, the data here can be random characters, null, or zeros like the one below.&nbsp;
 &nbsp;
0000  00 15 17 48 5d fc 00 50  56 9f 0f 2b 08 00 45 00   ...H]..P V..+..E.&nbsp;
0010  01 2a 5b 1e 40 00 80 06  c2 b1 0a 08 06 12 d0 e0   .*[.@... ........&nbsp;
0020  fb 03 27 61 12 ae bd 85  05 bb 3f e8 5a 37 50 18   ..'a.... ..?.Z7P.&nbsp;
0030  fa 36 f3 f8 00 00 01 00  31 34 31 30 30 30 30 30   .6...... 14100000&nbsp;
0040  30 30 30 30 30 30 31 38  38 38 38 38 38 30 30 35   00000018 88888005&nbsp;
0050  30 30 30 30 30 30 30 37  30 32 30 31 30 30 30 37   00000007 02010007&nbsp;
0060  20 20 37 30 32 36 36 36  36 37 37 30 31 30 30 30     702666 67701000&nbsp;
0070  30 30 30 31 39 34 23 10  02 30 01 01 02 00 00 02   000194. .0......&nbsp;
0080  08 03 06 15 49 00 00 00  00 02 09 20 12 08 03 14   ....I... ... ....&nbsp;
0090  21 42 03 05 09 07 02 01  00 07 88 00 01 54 71 00   !B...... .....Tq.&nbsp;
00a0  97 f4 c0 dd 58 15 30 30  30 30 30 31 38 38 38 38   ....X.00 00018888&nbsp;
00b0  38 38 30 30 35 36 36 36  36 37 37 30 31 20 20 20   88005666 67701  &nbsp;
00c0  20 20 20 20 20 01 01 07  56 00 00 00 00 07 80 02        ... V.......&nbsp;
00d0  04 00 00 00 78 02 32 30  30 37 37 31 31 43 45 30   ....x.20 07711CE0&nbsp;
00e0  37 33 32 30 30 44 37 31  36 32 30 31 32 30 38 30   73200D71 62012080&nbsp;
00f0  33 31 34 32 31 34 32 04  00 00 01 28 17 00 15 30   3142142. ...(...0&nbsp;
0100  30 30 30 35 33 38 38 38  38 38 38 30 30 35 36 36   00053888 88800566&nbsp;
0110  36 36 37 37 30 39 20 20  20 20 20 20 20 20 00 00   667709         ..&nbsp;
0120  00 43 48 46 33 2e 34 39  30 30 30 30 02 07 02 00   .CHF3.49 0000....&nbsp;
0130  00 00 00 00 00 02 07 56                            .......V         &nbsp;
 &nbsp;
We’ve did the basic iRule below but obviously does not work on all transactions:&nbsp;
when CLIENT_ACCEPTED {&nbsp;
 &nbsp;
  TCP::collect 15&nbsp;
}&nbsp;
when CLIENT_DATA {&nbsp;
  if { [TCP::payload 15] contains "000001" } {&nbsp;
pool Pool1   &nbsp;
  } else {&nbsp;
pool Pool2  &nbsp;
}&nbsp;
 TCP::release&nbsp;
}&nbsp;
 &nbsp;
Any help would be appreciated and thanks in advance.&nbsp;

hamish · Answer

If you have a look at the FIX iRule from codeshare (I think Nathan did it didn't he?) it does pretty much what you want (Albeit for FIX traffic). That's at 
&nbsp;  
&nbsp; https://devcentral.f5.com/wiki/iRules.FixSelectPoolBasedOnSenderCompID.ashx 
&nbsp;  
&nbsp; There's also the LDAP Stats Measuring iRule at 
&nbsp;  
&nbsp; https://devcentral.f5.com/wiki/iRules.LDAP_Stats_Measuring.ashx 
&nbsp;  
&nbsp; H &nbsp;

rahtoll_74678 · Answer

Thank you for your response. I'm not sure if the link you provided would be related or would be the closest answer as what i just want to do is to read the 6 bytes on this specific position and try to confirm if it is the match i'm looking for. Like for example, from the TCP payload, i would skip 5 bytes which would be random characters, and start reading only for the next 6 bytes after this? Thanks again. 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; Lez

michael_yates · Answer

Hi rahtoll, 
&nbsp;  
&nbsp; You could try adjusting your TCP::collect to collect 6 bytes after skipping the first 5 bytes and then do a literal compare. 
&nbsp;  
&nbsp; TCP::collect   
&nbsp;  
&nbsp; TCP::collect 6 5

hooleylist · Answer

That's a novel idea Michael, but I think it would have an unintended consequence of passing some of the data through on the serverside before parsing the full request payload. 
  
 Here's a sample for using binary scan I tried in a quick test.  Maybe something like this will work for you?

when RULE_INIT {
 Encode the raw bytes in base64 to test
set bytes_b64 "ABUXSF38AFBWnw8rCABFAAEqWx5AAIAGwrEKCAYS0OD7AydhEq69hQW7P+haN1AY+jbz+AAAAQAxNDEwMDAwMDAwMDAwMDE4ODg4ODgwMDU="
log local0. "\$bytes_b64: $bytes_b64"

set bytes_raw [b64decode $bytes_b64]
log local0. "\$bytes_raw: $bytes_raw"

Skip 59 bytes into the payload and save the next 6 bytes to $match
binary scan $bytes_raw x59a6 match
log local0. "\$match: $match"
}

&lt; RULE_INIT &gt;: $match: 000000 
  
 I'll reply with a more specific example in a minute. 
  
 Aaron

hooleylist · Answer

Here's what I'm thinking could work for your scenario:

when CLIENT_ACCEPTED {
 Collect at least 65 bytes if the bytes to parse are 59-65
TCP::collect 65
}
when CLIENT_DATA {

use pool2 by default
pool Pool2

Start reading at the 59th byte and save 6 characters to $match
if {[binary scan $bytes_raw x59a6 match] == 1}{
log local0. "Matched $match"
if { $match eq "000001" } {
pool Pool1
}
}
TCP::release
}

Aaron

Forum Discussion

Check for String in TCP Payload from a specific position

8 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

Handle False Positive for files upload

CMS causing False Positives

Separating False Positives from Legitimate Violations

Large payload post requests aren't responding