Our friends at Plixer have written a nice article about how to use nProbe to export HTTP and latency information.
Note that you can also use the nProbe http plugin to trace HTTP events and rebuild user sessions. This as netflow is not exactly the best protocol to use for exporting this information. The available options are:
--http-dump-dir <dump dir> | |
--http-exec-cmd <cmd> | Command executed whenever a directory has been dumped |
--dont-hash-cookies | Dump cookie string instead of cookie hash |
--dont-nest-dump-dirs | Don't create subdirs on the dump directory |
--max-http-log-lines <num> | Max number of lines per log file (default 10000) |
For instance
nprobe –http-dump-dir ~/http –http-exec-cmd /home/deri/processHTTP.py –max-http-log-lines 500
dumps files in ~/http of up to 500 lines and once the file has been dumped is is processed using proccessHTTP.py.
Dump files have the following format:
# # Client Server Protocol Method URL HTTPReturnCode Referer UserAgent ContentType Bytes BeginTime EndTime Flow Hash Cookie # 65.175.140.3 www.plixer.com http /blog/wp-content/plugins/wp-cumulus/tagcloud.swf?r=8093784 200 www.plixer.com/blog/index.php?s=netflowMozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1064 Safari/532.5 application/x-shockwave-flash 39720 1273583995 1273583996 1507291460 80462 82.211.65.226 www.plixer.com http /includes/AC_RunActiveContent.js 304 www.plixer.com/support/download_request.php Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 3869 1273584001 1273584002 1794801542 68289 82.211.65.226 www.plixer.com http /includes/functions.js 304 www.plixer.com/support/download_request.php Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 3676 1273584001 1273584002 1794801542 68976
that enable you to do everything with them ranging from web stats to network forensics.