reg exp in health monitor

Hello,

 

 

I think you'd want either:

 

 

^0\n\n$

 

 

or:

 

 

^0\r\n\r\n$

 

 

The server should respond with two carriage return + line feeds. You can capture a tcpdump of a successful response to see exactly what it sends:

 

 

tcpdump -ni 0.0 -Xs0 host SERVER_IP

 

 

You can enable debug on the monitoring daemon, bigd by running 'b db bigd.debug enable'. Output is written to /var/log/bigdlog by default. To disable logging run 'b db bigd.debug disable'. Note that the hex output from tcpdump will probably be more helpful than the bigd debug as the log doesn't show the unprintable characters.

 

 

Aaron

 

Aaron

Thanks, not sure I can tell what is being sent back ... below is the tcp dump,

 

with the monitor debugging i only got 0 and no non printable characters.

 

 

12:36:09.954766 802.1Q vlan4093 P0 172.23.1.18.44741 > 172.23.1.137.16092: P 1:30(29) ack 1 win 5840 (DF)

 

0x0000 0ffd 0800 4500 0045 ab47 4000 4006 34a2 ....E..E.G@.@.4.

 

0x0010 ac17 0112 ac17 0189 aec5 3edc a395 6351 ..........>...cQ

 

0x0020 f159 996a 5018 16d0 132a 0000 4745 5420 .Y.jP....*..GET.

 

0x0030 2f68 6561 7274 6265 6174 2048 5454 502f /heartbeat.HTTP/

 

0x0040 312e 310d 0a0d 0a0d 0a 1.1......

 

12:36:09.954839 802.1Q vlan4093 P0 172.23.1.137.16092 > 172.23.1.18.44741: . ack 30 win 46 (DF)

 

0x0000 0ffd 0800 4500 0028 ec8d 4000 4006 f378 ....E..(..@.@..x

 

0x0010 ac17 0189 ac17 0112 3edc aec5 f159 996a ........>....Y.j

 

0x0020 a395 636e 5010 002e d572 0000 0000 0000 ..cnP....r......

 

0x0030 0000 ..

 

12:36:09.954842 802.1Q vlan4093 P0 172.23.1.137.16092 > 172.23.1.18.44741: . ack 30 win 46 (DF)

 

0x0000 0ffd 0800 4500 0028 ec8d 4000 4006 f378 ....E..(..@.@..x

 

0x0010 ac17 0189 ac17 0112 3edc aec5 f159 996a ........>....Y.j

 

0x0020 a395 636e 5010 002e d572 0000 ..cnP....r..

 

I don't see the 0 in the output. The hex value is 30, but the only 30's I see are the line numbers.

Here is an example of hex with 0's. 2 in ascii =32 in hex, 0 in ascii =30 in hex, 0 in ascii =30 in hex

   
   line number   hex                                         ascii   
   0x0130         3d3d 3d3d 0d0a 3230 3020 2d20 4f6b 6179        ====..200.-.Okay   
   

The carriage return and line feed should show up as dots in the ascii and 0d 0a in hex.

If you expect the server to only send 0 in the response body, it should be 30 0d 0a in hex. It looks like the server is actually sending nulls, and then random characters: E(@@x, etc. Is this encrypted? Or is it some proprietary protocol over HTTP?

Here is what a test response from TCP::respond content "0\r\n\r\n" looks like:

   
   18:15:04.351359 802.1Q vlan4094 P0 10.41.135.20.81 > 172.31.42.18.3891: P 1:6(5) ack 155 win 3711 (DF)   
   0x0000   0ffe 0800 4500 002d fce7 4000 ff06 1774        ....E..-..@....t   
   0x0010   0a29 8714 ac1f 2a12 0051 0f33 57c6 a3e3        .)....*..Q.3W...   
   0x0020   2daf b11d 5018 0e7f 0bc5 0000 300d 0a0d        -...P.......0...   
   0x0030   0a                  . 
   

The last five characters are 0 (30), carriage return (0d), line feed (0a), carriage return (0d), line feed (0a). Of course, I'd expect an HTTP server to respond with HTTP headers. If your application does, then these would be considered in the regex receive string match. So you'd actually want to specify something like:

0\r\n\r\n$

or perhaps:

.*0\r\n\r\n$

Aaron

thanks, but I have to be missing something, I tried both of your suggestions above...

 

0\r\n\r\n$

 

or perhaps:

 

.*0\r\n\r\n$

 

 

but they seem to make the monitor fail, if I change the recieve string to 0 monitor does not fail.

 

 

The application does not send a CR / LF.

 

 

Thanks

Which LTM version are you running? Is it an HTTPS monitor?

 

 

If you enable bigd debug (b db bigd.debug enable), does /var/log/bigdlog show the unencrypted content? Or, if you make a request to the server from a browser do you see 0? If you use a header logger like Fiddler for IE or LiveHttpHeaders for FF, do you see any HTTP headers in the response? Else, using an interception proxy (like BURP - www.portswigger.net) what do you see in the unencrypted response?

 

 

If the response has HTTP headers I imagine the response code contains a 0 and that's what it's matching on.

 

 

Aaron

ok using [ 0 ] does the trick, now i just want to test with a status code of 500 or soemthing else that would have a 0 in the page.

Posted By hoolio on 09/16/2008 1:17 PM

 

 

Which LTM version are you running? Is it an HTTPS monitor?

 

 

If you enable bigd debug (b db bigd.debug enable), does /var/log/bigdlog show the unencrypted content? Or, if you make a request to the server from a browser do you see 0? If you use a header logger like Fiddler for IE or LiveHttpHeaders for FF, do you see any HTTP headers in the response? Else, using an interception proxy (like BURP - www.portswigger.net) what do you see in the unencrypted response?

 

 

If the response has HTTP headers I imagine the response code contains a 0 and that's what it's matching on.

 

 

Aaron

 

 

 

with the debug I am able to see the 0, and i was told there are no headers sent back either but i will use fiddler and post the results.

 

 

Thanks