How to Configure nProbe to Export URLs and Latency via NetFlow

Posted · 4 Comments

Our friends at Plixer have written a nice article about how to use nProbe to export HTTP and latency information.

Note that you can also use the nProbe http plugin to trace HTTP events and rebuild user sessions. This as netflow is not exactly the best protocol to use for exporting this information. The available options are:

--http-dump-dir <dump dir>
--http-exec-cmd <cmd>Command executed whenever a directory has been dumped
--dont-hash-cookiesDump cookie string instead of cookie hash
--dont-nest-dump-dirsDon't create subdirs on the dump directory
--max-http-log-lines <num>Max number of lines per log file (default 10000)

For instance
nprobe –http-dump-dir ~/http –http-exec-cmd /home/deri/processHTTP.py –max-http-log-lines 500

dumps files in ~/http of up to 500 lines and once the file has been dumped is is processed using proccessHTTP.py.

Dump files have the following format:

#
# Client	Server	Protocol	Method	URL	HTTPReturnCode	Referer	UserAgent	ContentType	Bytes	BeginTime	EndTime	Flow Hash	Cookie
#
65.175.140.3	www.plixer.com	http		/blog/wp-content/plugins/wp-cumulus/tagcloud.swf?r=8093784	200	www.plixer.com/blog/index.php?s=netflowMozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1064 Safari/532.5	application/x-shockwave-flash	39720	1273583995	1273583996	1507291460	80462
82.211.65.226	www.plixer.com	http		/includes/AC_RunActiveContent.js	304	www.plixer.com/support/download_request.php	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)		3869	1273584001	1273584002	1794801542	68289
82.211.65.226	www.plixer.com	http		/includes/functions.js	304	www.plixer.com/support/download_request.php	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)		3676	1273584001	1273584002	1794801542	68976

that enable you to do everything with them ranging from web stats to network forensics.