Hi Kings, This does not work as expected - I know that. To make it work try this: match start l3-start offset 36 size 2 string jo
The problem with 'payload-start" is that it does not start from where the payload is or the FPM looks differently at the packet :) The above should work. The 36 bytes are: 20 - IP Header 8 - ICMP Header 8 - junk data in ICMP payload Also make sure that the ICMP packet is at least of 42 bytes in length to be properly parsed by FPM. btw: I assume you use "data 6A6F" parameter when pinging :) Regards, Piotr 2010/11/18 Kingsley Charles <[email protected]> > Hi all > > The following doesn't match. > > match start ICMP payload-start offset 0 size 2 string "jo" > > The following is matched from 14 bytes onwards > > match start ICMP payload-start offset 0 size 14 string "jo" > > > "jo" is 2 bytes in length and hence I thought putting 2 bytes would be > suffice starting from ICMP payload. > > > Even if I consider 8 bytes of ICMP header, how come it requires 14 byes? > > *start ICMP payload-start *means it should start from the ICMP payload > which means 2 bytes is correct right? > > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
