Hi all, Concerning HTTP: I guess the thing to output would be hostname, since you can have multiple HTTP requests to different URLs inside one TCP Session.About DNS, what should be outputted? I guess the hostname for A queries is good enough to start with. BR,Stathis > Date: Sun, 23 Mar 2014 13:56:32 +0000 > From: pa...@pmacct.net > To: pmacct-discussion@pmacct.net > Subject: Re: [pmacct-discussion] HTTP traffic classification > > Dears, > > First off, interesting discussion. Under the assumption we speak > libpcap and not NetFlow/IPFIX, I confirm, as it was already clear > from Slava and Chris emails, that there is nothing built-in to do > this in pmacct. > > I see two possible avenues for this: a) go the classification way, > ie. most probably write a binary classifier (*) since regex would > not help with binary protocols (i've read DNS also) and is overall > pretty limiting. A new primitive, of type string, should be defined > to contain, say, URLs or DNS data. b) Slightly expand and leverage > the aggregate_primitives framework, active for libpcap and NetFlow/ > IPFIX. See at this propo "examples/primitives.lst" (last couple of > examples) in the pmacct distribution tarball. The part to expand is > the support for variable-length jumps. > > I'm happy to support on this (so for example to facilitate where to > start, how to make things consistent to the rest, etc.) but somebody > has to take the actual development, which is non trivial but does not > look like crazy amount either, on him - and hopefully contribute it > back to the community. > > Look forward at your thoughts. > > Cheers, > Paolo > > (*) http://www.pmacct.net/classification/pmacct-classifiers-20060321.tar.gz > > On Sat, Mar 22, 2014 at 08:18:01PM +0000, Chris Wilson wrote: > > Hi all, > > > > On Sat, 22 Mar 2014, Viacheslav Dubrovskyi wrote: > > >22.03.2014 21:20, Stathis Gkotsis пишет: > > >>First, I would like to thank you for the great product, pmacct > > >>has proven very useful to me, which brings me to my question :) > > >>I see that it is possible to enable traffic classification, > > >>which is about detecting L7 protocol. I am particularly > > >>interested in HTTP and also outputting the hostname or url, e.g. > > >>in exports via the print module. Is this somehow possible? > > > > > >IMHO better use special tools https://github.com/jbittel/httpry > > > > I'm also interested in this. Even if it's captured by a separate > > tool (and I'm not sure why it couldn't be integrated with pmacct's > > L7 classifiers) I would really like to be able to log http and https > > hostnames of connections, and correlate them with flows recorded by > > pmacct and DNS requests and responses. > > > > It's not clear that httpry can log the source and destination host > > and port at all, let alone store it in a SQL database (no sample > > output is provided), and presumably it does nothing with https. > > > > Cheers, Chris. > > -- > > Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838 > > Citylife House, Sturton Street, Cambridge, CB1 2QF, UK > > > > Aptivate is a not-for-profit company registered in England and Wales > > with company number 04980791. > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
