Taking advantage of that What is the theory of fragment offset? I read many times and my last conclusion was fragment offset 1 would match the FIRST 8 bits (or 1 byte). So, when I would like to match the protocol type within IP header, I would do fragment offset 9 that would be the third line, the second block of 8 bits.
Is this correct? I am asking because I saw offset 36, and where would it be? 36 / 4 = 9th line of the header? I am lost with that The Cisco doc for FPM didn't see any thing for offset http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.html Any help? On Tue, Nov 23, 2010 at 4:46 AM, Kingsley Charles < [email protected]> wrote: > Thanks Piotr. > > Yes, I did use 6A6F for "jo" > > > With regards > Kings > > > On Mon, Nov 22, 2010 at 11:58 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi Kings, >> >> This does not work as expected - I know that. To make it work try this: >> match start l3-start offset 36 size 2 string jo >> >> The problem with 'payload-start" is that it does not start from where the >> payload is or the FPM looks differently at the packet :) >> >> The above should work. The 36 bytes are: >> 20 - IP Header >> 8 - ICMP Header >> 8 - junk data in ICMP payload >> >> Also make sure that the ICMP packet is at least of 42 bytes in length to >> be properly parsed by FPM. >> >> btw: I assume you use "data 6A6F" parameter when pinging :) >> >> Regards, >> Piotr >> >> >> 2010/11/18 Kingsley Charles <[email protected]> >> >>> Hi all >>> >>> The following doesn't match. >>> >>> match start ICMP payload-start offset 0 size 2 string "jo" >>> >>> The following is matched from 14 bytes onwards >>> >>> match start ICMP payload-start offset 0 size 14 string "jo" >>> >>> >>> "jo" is 2 bytes in length and hence I thought putting 2 bytes would be >>> suffice starting from ICMP payload. >>> >>> >>> Even if I consider 8 bytes of ICMP header, how come it requires 14 byes? >>> >>> *start ICMP payload-start *means it should start from the ICMP payload >>> which means 2 bytes is correct right? >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
