Thanks Piotr. Yes, I did use 6A6F for "jo"
With regards Kings On Mon, Nov 22, 2010 at 11:58 PM, Piotr Matusiak <[email protected]> wrote: > Hi Kings, > > This does not work as expected - I know that. To make it work try this: > match start l3-start offset 36 size 2 string jo > > The problem with 'payload-start" is that it does not start from where the > payload is or the FPM looks differently at the packet :) > > The above should work. The 36 bytes are: > 20 - IP Header > 8 - ICMP Header > 8 - junk data in ICMP payload > > Also make sure that the ICMP packet is at least of 42 bytes in length to be > properly parsed by FPM. > > btw: I assume you use "data 6A6F" parameter when pinging :) > > Regards, > Piotr > > > 2010/11/18 Kingsley Charles <[email protected]> > >> Hi all >> >> The following doesn't match. >> >> match start ICMP payload-start offset 0 size 2 string "jo" >> >> The following is matched from 14 bytes onwards >> >> match start ICMP payload-start offset 0 size 14 string "jo" >> >> >> "jo" is 2 bytes in length and hence I thought putting 2 bytes would be >> suffice starting from ICMP payload. >> >> >> Even if I consider 8 bytes of ICMP header, how come it requires 14 byes? >> >> *start ICMP payload-start *means it should start from the ICMP payload >> which means 2 bytes is correct right? >> >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
