Hexdump for iRules
There are times when you really would like to get a dump of a packet’s binary payload from within iRules, and dump it in a log file. This is very helpful for checking not only an incoming packet’s payload, but also any payloads you may be generating so you can check to see if the fields are lined up, values are correct, etc. I’ve used hexdump functions for years in things like Perl and Python, but I could not find anything similar for iRules, so I wrote one.
if { $static::DEBUG eq 1 } { # The hexbinary code we want to decode is stored in $payload ## ## format string for hexdump output ## set p 0 ;## buf ptr set sl [string length $payload] set inPkt "\n\n" while { $p < $sl } { set s [string range $payload $p [expr {$p+16}] ] binary scan $s H*@0a* hex ascii regsub -all -- {[^[:graph:] ]} $ascii {.} ascii set hex1 [string range $hex 0 15] set hex2 [string range $hex 16 31] set ascii1 [string range $ascii 0 7] set ascii2 [string range $ascii 8 15] # Convert the hex to pairs of hex digits regsub -all -- {..} $hex1 {& } hex1 regsub -all -- {..} $hex2 {& } hex2 append inPkt "[format {%08x %-24s %-24s %-8s %-8s} $p $hex1 $hex2 $ascii1 $ascii2]\n" set p [expr {$p + 16}] } ### puts "Input PKT: $inPkt" ;## print the output to /var/log/tmm }Notice that we are using “puts” commands rather than the more common “log local0.” commands, as the log command strips out linefeeds and would mess up our output.
Here’s how it looks when I used it to output a RADIUS Accounting Update packet that I wanted to modify on the fly:<13> Jan 13 19:21:06 local/bigipfw notice >>CLIENT_DATA <13> Jan 13 19:21:06 local/bigipfw notice RADIUS code: Accounting-Request <13> Jan 13 19:21:06 local/bigipfw notice RADIUS id: 12 <13> Jan 13 19:21:06 local/bigipfw notice User-Name: 31016090000000001 <13> Jan 13 19:21:06 local/bigipfw notice Called-Station-Id: offload.F5_Customer.com <13> Jan 13 19:21:06 local/bigipfw notice Acct-Type: Interum-Update(3) <13> Jan 13 19:21:06 local/bigipfw notice NAS-Identifier: IPhoneOS <13> Jan 13 19:21:06 local/bigipfw notice NAS-Port: 4608 <13> Jan 13 19:21:06 local/bigipfw notice Framed-IP-Address: 192.168.1.1 <13> Jan 13 19:21:06 local/bigipfw notice Tunnel-Client-Endpoint: 10.1.1.45 <13> Jan 13 19:21:06 local/bigipfw notice Authenticator: c1304dd1a21e61d75a97b27dce74b926 <13> Jan 13 19:21:06 local/bigipfw notice VSA id: 3GPP, number: 3GPP-IMSI, length: 19, value: 31016090000000001 <13> Jan 13 19:21:06 local/bigipfw notice Input PKT: <13> Jan 13 19:21:06 local/bigipfw notice 00000000 04 0c 00 8c c1 30 4d d1 a2 1e 61 d7 5a 97 b2 7d ....Á0MÑ ¢.a×Z.²} <13> Jan 13 19:21:06 local/bigipfw notice 00000010 ce 74 b9 26 20 0a 49 50 68 6f 6e 65 4f 53 01 13 Ît¹& .IP honeOS.. <13> Jan 13 19:21:06 local/bigipfw notice 00000020 33 31 30 31 36 30 39 30 30 30 30 30 30 30 30 30 31016090 00000000 <13> Jan 13 19:21:06 local/bigipfw notice 00000030 31 1e 19 6f 66 66 6c 6f 61 64 2e 46 35 5f 43 75 1..offlo ad.F5_Cu <13> Jan 13 19:21:06 local/bigipfw notice 00000040 73 74 6f 6d 65 72 2e 63 6f 6d 2c 06 ff 08 02 00 stomer.c om,.ÿ... <13> Jan 13 19:21:06 local/bigipfw notice 00000050 28 06 00 00 00 03 05 06 00 00 12 00 42 0b 31 30 (....... ....B.10 <13> Jan 13 19:21:06 local/bigipfw notice 00000060 2e 31 2e 31 2e 34 35 08 06 c0 a8 01 01 04 06 7f .1.1.45. .À¨..... <13> Jan 13 19:21:06 local/bigipfw notice 00000070 00 00 01 1a 19 00 00 28 af 01 13 33 31 30 31 36 .......( ¯..31016 <13> Jan 13 19:21:06 local/bigipfw notice 00000080 30 39 30 30 30 30 30 30 30 30 30 31 09000000 0001 <13> Jan 13 19:21:06 local/bigipfw notice Resp: 050c0014c33b32cc5a8befa41e8ed962b3972aa2You should not put this into a production environment, as the write out to the logs would be a substantial performant hit….but it’s great for debugging! You also only want to have one connection at a time, as multiple connections will all show together interspersed with one another.