[prev in list] [next in list] [prev in thread] [next in thread] 

List:       l7-filter-developers
Subject:    Re: [l7-filter-developers] how to match  this protocol?
From:       Matthew Strait <quadong () users ! sourceforge ! net>
Date:       2006-01-01 23:58:34
Message-ID: Pine.LNX.4.64.0601011755440.7089 () mattdesk ! strait
[Download RAW message or body]

> how to match this protocol ?
>
> fe 01 02 02 01 xx xx xx xx
> fe 05 07 07 05 xx xx xx xx
> fe 00 fe fe 00 xx xx xx xx
> fe 9c 00 00 9c xx xx xx xx
> fe e7 39 39 e7 xx xx xx xx
>
> The 1st char is "\xfe", the 2ed and the 5th is the same, the 3rd and the 
> 4th is the same.

Are you showing 5 different sessions or just one session?  If it is just 
one session, then the best way to match this would be to just look for the 
\xfe:

^\xfe....?.?.?.?\xfe

For this, you should adjust the number of question marks to account for 
how many 00 bytes you think might appear.

If it is 5 different sessions, then it is very hard to match well with 
l7-filter.  There's no good way to say "these two bytes can be anything, 
but they are the same as each other".  See our conversations about Skype 
for more discucssion of this.

-Matthew


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
L7-filter-developers mailing list
L7-filter-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/l7-filter-developers
[prev in list] [next in list] [prev in thread] [next in thread]