HTTP Plugin¶
This plugin dissects HTTP traffic information and saves it in dump files as well export the information via NetFlow/IPFIX using the following information elements.
[NFv9 57652][IPFIX 35632.180][Len 128 varlen] %HTTP_URL HTTP URL (IXIA URI)
[NFv9 57832][IPFIX 35632.360][Len 4 varlen] %HTTP_METHOD HTTP METHOD
[NFv9 57653][IPFIX 35632.181][Len 2] %HTTP_RET_CODE HTTP return code (e.g. 200, 304...)
[NFv9 57654][IPFIX 35632.182][Len 128 varlen] %HTTP_REFERER HTTP Referer
[NFv9 57655][IPFIX 35632.183][Len 256 varlen] %HTTP_UA HTTP User Agent
[NFv9 57656][IPFIX 35632.184][Len 256 varlen] %HTTP_MIME HTTP Mime Type
[NFv9 57659][IPFIX 35632.187][Len 64 varlen] %HTTP_HOST HTTP(S) Host Name (IXIA Host Name)
[NFv9 57833][IPFIX 35632.361][Len 64 varlen] %HTTP_SITE HTTP server without host name
[NFv9 57932][IPFIX 35632.460][Len 256 varlen] %HTTP_X_FORWARDED_FOR HTTP X-Forwarded-For
[NFv9 57933][IPFIX 35632.461][Len 256 varlen] %HTTP_VIA HTTP Via
The plugin supports the following command line options that are used to specify where the (optional) HTTP log file is saved. As previously described for -P, dumps are nested in directories. It is possible to instruct nProbe to execute a command when a directory (not a log file) if fully dumped (i.e. nProbe has moved to the next directory in time order).
--http-dump-dir <dump dir> | Directory where HTTP logs will be dumped
--http-content-dump-dir <dump dir> | Directory where HTTP content (request only) will be dumped
--http-content-dump-response | Dump both HTTP request and response with --http-content-dump-dir
--http-exec-cmd <cmd> | Command executed whenever a directory has been dumped
--dont-hash-cookies | Dump cookie string instead of cookie hash
--http-verbose-level <level> | 0 - Relevant info, 1 - Very verbose (default: 1)
--http-ports | List of ports used for http protocol (default: 80)
--proxy-ports | List of ports used for proxy protocol (default: 3128, 8080)
--http-parse-geolocation | Dump geolocation info if explicitly present inside mobile app protocol (e.g., "Nimbuzz")