The protocol field is 80 bits from l3 start which 10 bytes.
With regards Kings On Tue, Nov 23, 2010 at 7:47 PM, Bruno <[email protected]> wrote: > Taking advantage of that > > What is the theory of fragment offset? I read many times and my last > conclusion was fragment offset 1 would match the FIRST 8 bits (or 1 byte). > So, when I would like to match the protocol type within IP header, I would > do fragment offset 9 that would be the third line, the second block of 8 > bits. > > Is this correct? I am asking because I saw offset 36, and where would it > be? 36 / 4 = 9th line of the header? > I am lost with that > > The Cisco doc for FPM didn't see any thing for offset > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.html > > Any help? > > > > On Tue, Nov 23, 2010 at 4:46 AM, Kingsley Charles < > [email protected]> wrote: > >> Thanks Piotr. >> >> Yes, I did use 6A6F for "jo" >> >> >> With regards >> Kings >> >> >> On Mon, Nov 22, 2010 at 11:58 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Hi Kings, >>> >>> This does not work as expected - I know that. To make it work try this: >>> match start l3-start offset 36 size 2 string jo >>> >>> The problem with 'payload-start" is that it does not start from where the >>> payload is or the FPM looks differently at the packet :) >>> >>> The above should work. The 36 bytes are: >>> 20 - IP Header >>> 8 - ICMP Header >>> 8 - junk data in ICMP payload >>> >>> Also make sure that the ICMP packet is at least of 42 bytes in length to >>> be properly parsed by FPM. >>> >>> btw: I assume you use "data 6A6F" parameter when pinging :) >>> >>> Regards, >>> Piotr >>> >>> >>> 2010/11/18 Kingsley Charles <[email protected]> >>> >>>> Hi all >>>> >>>> The following doesn't match. >>>> >>>> match start ICMP payload-start offset 0 size 2 string "jo" >>>> >>>> The following is matched from 14 bytes onwards >>>> >>>> match start ICMP payload-start offset 0 size 14 string "jo" >>>> >>>> >>>> "jo" is 2 bytes in length and hence I thought putting 2 bytes would be >>>> suffice starting from ICMP payload. >>>> >>>> >>>> Even if I consider 8 bytes of ICMP header, how come it requires 14 byes? >>>> >>>> *start ICMP payload-start *means it should start from the ICMP payload >>>> which means 2 bytes is correct right? >>>> >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
