1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to make my own L7 pattern

Discussion in 'Sveasoft Firmware' started by BombrMan, Jun 30, 2005.

  1. BombrMan

    BombrMan Network Guru Member

    I am running alchemy and am basically trying to add Planetside to the services list for QoS by service. So far I have gone to the L7 page and read their instructions on how to create your own .pat files. and i used smartsniff to capture some packets while I was playing. The captured packet window in smartsniff shows me this big old mess.
    I was under the impression that there would be some strings in there that I could find and match but it just looks like gibberish to me. As far as actually getting the pattern into the router I found this post, which I'm assuming is correct. All I need to do then is figure out the pattern. Also, if someone could explain this to me then I can try and put together a step by step guide to getting custom L7 patterns up and running, since I couldn't find one that's already done.
  2. _Shorty

    _Shorty Network Guru Member

    I find the easiest way to do it is to go through the ethereal capture business a few times so you have a few different captures of the beginning of the communication. And if you look at the data in ethereal it also lets you ignore the 'housekeeping' parts of the packets so that you can see the parts that are important for the job at hand. For example, here's a screenshot of ethereal with the first incoming packet of a Counter-Strike Source connection, with the relevant information selected. All the stuff before this part of the packet is just 'housekeeping' stuff that we aren't to be concerned with as far as L7 patterns go.


    That's one of the packets I used to confirm the new pattern for Counter-Strike Source, which is this:


    The first returned packet from the game server starts with four FF bytes, and this is what the first part of the pattern means:

    ^\xff\xff\xff\xff = the first four bytes are FF FF FF FF

    And then the .* means any amount of any characters, and in this case followed by an instance of cstrikeCounter-Strike. Hope that helps.
  3. BombrMan

    BombrMan Network Guru Member

    Ok, so i captured a bunch of packets with ethereal, and as far as I can see, the only pattern between them all is that the data part always begins with F_.. where _ is a single character. Do I need a pattern that matches all the packets, or just the 1st one returned from the server? Also, none of the packets contain any text as far as I can see. Am I doing something wrong with the capture?
  4. _Shorty

    _Shorty Network Guru Member

    mind sending me the captures in ethereal's .libcap file format that it saves in? I can take a look. cherrytwist at gmail dot com

Share This Page