HTTP Plugin

This plugin dissects HTTP traffic information and saves it in dump files as well export the information via NetFlow/IPFIX using the following information elements.

[NFv9 57652][IPFIX 35632.180][Len 128 varlen] %HTTP_URL                         HTTP URL (IXIA URI)
[NFv9 57832][IPFIX 35632.360][Len 4 varlen] %HTTP_METHOD                HTTP METHOD
[NFv9 57653][IPFIX 35632.181][Len 2] %HTTP_RET_CODE                     HTTP return code (e.g. 200, 304...)
[NFv9 57654][IPFIX 35632.182][Len 128 varlen] %HTTP_REFERER                     HTTP Referer
[NFv9 57655][IPFIX 35632.183][Len 256 varlen] %HTTP_UA                          HTTP User Agent
[NFv9 57656][IPFIX 35632.184][Len 256 varlen] %HTTP_MIME                        HTTP Mime Type
[NFv9 57659][IPFIX 35632.187][Len 64 varlen] %HTTP_HOST                         HTTP(S) Host Name (IXIA Host Name)
[NFv9 57833][IPFIX 35632.361][Len 64 varlen] %HTTP_SITE                         HTTP server without host name
[NFv9 57932][IPFIX 35632.460][Len 256 varlen] %HTTP_X_FORWARDED_FOR             HTTP X-Forwarded-For
[NFv9 57933][IPFIX 35632.461][Len 256 varlen] %HTTP_VIA                         HTTP Via

The plugin supports the following command line options that are used to specify where the (optional) HTTP log file is saved. As previously described for -P, dumps are nested in directories. It is possible to instruct nProbe to execute a command when a directory (not a log file) if fully dumped (i.e. nProbe has moved to the next directory in time order).

--http-dump-dir <dump dir>                         | Directory where HTTP logs will be dumped
--http-content-dump-dir <dump dir>                 | Directory where HTTP content (request only) will be dumped
--http-content-dump-response                       | Dump both HTTP request and response with --http-content-dump-dir
--http-exec-cmd <cmd>                              | Command executed whenever a directory has been dumped
--dont-hash-cookies                                | Dump cookie string instead of cookie hash
--http-verbose-level <level>                       | 0 - Relevant info,  1 - Very verbose (default: 1)
--http-ports                                       | List of ports used for http protocol (default: 80)
--proxy-ports                                      | List of ports used for proxy protocol (default: 3128, 8080)
--http-parse-geolocation                           | Dump geolocation info if explicitly present inside mobile app protocol (e.g., "Nimbuzz")