This site is a homepage of FlowMon HTTP Input/Export Plugins.
Tomáš Šíma - simatomas@mail.muni.cz
Petr Velan - velan@mail.muni.cz
Pavel Čeleda - celeda@mail.muni.cz
Version 1.0, release date: December 20, 2012 flowmon-http-plugins-1.0.tar.gz
Doxygen generated code documentation is available here.
You can also generate documentation by$ make docthen you will find it in ./doc/html/index.html
The plugin was tested on :
Intel(R) Xeon(R) CPU E31230 @ 3.20GHzCompilation requires FlowMon development headers to be installed. The configure script checks for the header files and required utilities.
To compile and install plugin plugins, follow these steps:
$ tar -xpzf flowmon-input-http-1.0.tar.gz $ cd flowmon-input-http-1.0 $ ./configure $ make && make installYou can use :
$ ./configure --enable-benchmark $ make && make installTo install HTTP input plugin in benchmark mode. You have to recompile plugins in order to switch between benchmark and normal mode.
$ cd flowmon-input-http-1.0 $ make clean $ ./configure $ make && make install
Plugin | Plugin name | File containing plugin |
HTTP input plugin | input-http | flowmon-input-http.so |
HTTP process plugin | process-http | flowmon-input-http.so |
HTTP export to PostgreSQL | export-http_postgres | flowmon-export-http_postgres.so |
CSV export plugin | export-csv | flowmon-export-csv.so |
$ find / | grep flowmon-input-http.soThen use (modify parameters) one example below :
silent, read from eth0, export to postgreSQL, get only HTTP traffic from port 80 $ sudo /usr/bin/flowmonexp -X ./flowmon-export-http_postgres.so -X ./flowmon-input-http.so -I input-http:filter=y,device=eth0,verbose=n -P process-http -E export-http_postgres:host=server.company.ccom,port=5432,dbname=http_flow,user=username,password=t0pSecr3t,connect_timeout=10,verbose=n verbose(slower performance), read from eth0, export to postgreSQL, get only HTTP traffic from port 80 $ sudo /usr/bin/flowmonexp -X ./flowmon-export-http_postgres.so -X ./flowmon-input-http.so -I input-http:filter=y,device=eth0,verbose=y -P process-http -E export-http_postgres:host=server.company.ccom,port=5432,dbname=http_flow,user=username,password=t0pSecr3t,connect_timeout=10,verbose=y silent, read from eth0, export to postgreSQL, get any HTTP traffic even on unusual ports $ sudo /usr/bin/flowmonexp -X ./flowmon-export-http_postgres.so -X ./flowmon-input-http.so -I input-http:filter=n,device=eth0,verbose=n -P process-http -E export-http_postgres:host=server.company.ccom,port=5432,dbname=http_flow,user=username,password=t0pSecr3t,connect_timeout=10,verbose=n silent, read from eth0, write into ./http.csv $ sudo /usr/bin/flowmonexp -X ./flowmon-export-csv.so -X ./flowmon-input-http.so -I input-http:filter=y,device=eth0 -P process-http -E export-csv:file=./http.csv silent, get only HTTP traffic on port 80 stored in packets.pcap, write into ./http.csv $ sudo /usr/bin/flowmonexp -X ./flowmon-export-csv.so -X ./flowmon-input-http.so -I input-http:filter=y,file=./packets.pcap -P process-http -E export-csv:file=./http.csv
Plugin parse HTTP headers and adds data about HTTP to flow.
HTTP process plugin must be used along with HTTP input plugin.
Name of variable | HTTP header it refers to | data type |
HTTP_USERAGENT | Useragent: | uint8_t |
HTTP_METHOD | --- | uint8_t |
HTTP_DOMAIN | Host: | char[32] |
HTTP_REFERER | Referer: | char[32] |
HTTP_CONTENT_TYPE | Content_type: | uint8_t |
HTTP_URL | --- | char[32] |
HTTP_STATUS | --- | uint16_t |
HTTP_HEADER_COUNT | --- | uint16_t |
Firefox | 1 |
MSIE | 2 |
Opera | 3 |
Safari | 4 |
Android | 5 |
Chrome | 6 |
Konqueror | 7 |
Googlebot | 8 |
GET | 1 |
POST | 2 |
HEAD | 3 |
PUT | 4 |
DELETE | 5 |
TRACE | 6 |
CONNECT | 7 |
application | 1 |
text | 2 |
image | 3 |
message | 4 |
model | 5 |
multipart | 6 |
audio | 7 |
video | 8 |
HTTP status code used in response.
The number of HTTP headers encountered in all packets that belong to the flow record.
* filter=y <- use default filter in plugin. ( <==> Parse traffic coming from/to port 80, only unicast traffic in ipv4) * filter=n <- dont use any filterU must use '(device OR file) AND (filter OR filterfile)' combination of parameters in normal mode.
* filterfile=filter.txt <- use filter in filter.txt
filter.txt must contain just one line with string representing pcap_filter. * device=dev <- dev is device to listen on.
* file=/path/file.pcap <- path to pcap file
* benchmin=X
* benchmax=Y
* benchtick=int <- Set number of packets to pass between each line of output of benchmarking mode * verbose=y/n <- switch on/off verbose mode (default: verbose mode of flowmonexp) * debug=y/n <- switch on/off debug mode (default: verbose mode of flowmonexp)
$ flowmonexp -X /path/flowmon-input-http.so -P process_http -I input-http:device=eth0,filter=y $ flowmonexp -X /path/flowmon-input-http.so -P process_http -I input-http:file=/path/file.pcap,filter=n
* file=path/file.txt <- file to write into * verbose=y/n <- switch on/off verbose mode (default: verbose mode of flowmonexp) * debug=y/n <- switch on/off debug mode (default: verbose mode of flowmonexp)
$ flowmonexp -X /path/flowmon-export-csv.so -E export-csv:file=path/file.txt
FLOW 0,value1_name value1, Getter2_name value2, Getter3_name value3... FLOW 1,value1_name value1, Getter2_name value2, Getter3_name value3... ...Values are written as hexadecimal dump from memory.
* verbose=y/n <- switch on/off verbose mode (default: verbose mode of flowmonexp) * debug=y/n <- switch on/off debug mode (default: debug mode of flowmonexp)
* host=server.company.com <- hostname of server to connect to * port=5432 <- port to connect to * dbname=my_database <- name of database * user=username <- username * password=secret_pass <- password * connect_timeout=10 <- timeout of connection specified in seconds * hostaddr=192.168.1.10 <- server address, can be used instead of 'host' parameter * sslcert=path/cert <- filename of client SSL certificate * sslmode=Option <- This option determines whether or with what priority a SSL TCP/IP connection will be negotiated with the server. There are six modes
Option | Description |
---|---|
disable | only try a non-SSL connection |
allow | first try a non-SSL connection; if that fails, try an SSL connection |
prefer (default) | first try an SSL connection; if that fails, try a non-SSL connection |
require | only try an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified |
verify-ca | only try an SSL connection, and verify that the server certificate is issued by a trusted CA. |
verify-full | only try an SSL connection, verify that the server certificate is issued by a trusted CA and that the server hostname matches that in the certificate. |
* sslkey=/path/key <- This parameter specifies the location for the secret key used for the client certificate * sslrootcert=/path/cert <- specifies the file name of the root SSL certificate * sslcrl=path/crl <- specifies the file name of the SSL certificate revocation * insert_len=num <- how many records to insert with each insert command, greater insert_len -> less insert commands -> faster inserting to database (default 10000) * insert_time=X <- if X seconds passed since last insert into database, insert into database after processing next packet (default 60) * export_all=y <- insert also flows that aren't HTTP into database
SOURCE_IP inet |
L4_PORT_SRC integer |
DESTINATION_IP inet |
L4_PORT_DST integer |
FLOW_START_USEC timestamptz |
FLOW_END_USEC timestamptz |
L3_PROTO smallint |
PACKETS bigint |
BYTES bigint |
HTTP_CONTENT_TYPE smallint |
HTTP_USERAGENT smallint |
HTTP_METHOD smallint |
HTTP_DOMAIN character(32) |
HTTP_URL character(32) |
HTTP_REFERER character(32) |
127.0.0.1 | 5388 | 173.194.44.241 | 80 | 2013-02-12 18:54:09.733244+01 | 2013-02-12 18:54:09.828393+01 | 4 | 3 | 1200 | 0 | 3 | 1 | www.google.com | /index.html | www.referer.com |
173.194.44.241 | 80 | 127.0.0.1 | 5388 | 2013-02-12 18:54:10.735244+01 | 2013-02-12 18:54:10.928493+01 | 4 | 7 | 11800 | 2 | 0 | 0 |
sudo /usr/bin/flowmonexp -X ./flowmon-export-http_postgres.so -E export-http_postgres:host=server.company.com,port=5432,dbname=http_flow,user=exporter,password=t0pSecr3t,connect_timeout=10,verbose=y
$ export PAGER="less -RSX" $ psql -h host.company.com -U user -d dbname -P pager=always
Copyright (C) 2012 Masaryk University, Institute of Computer Science All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Masaryk University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. This software is provided ``as is'', and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the company or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
Licence conditions in accordance with § 11 of Act No. 130/2002 Coll.
This software is the result of the scientific and research activities at Masaryk University. The owner of the result is Masaryk University, a public university, ID: 00216224. Masaryk University allows other companies and individuals to use this software free of charge and without territorial restrictions under the terms of the BSD licence (http://opensource.org/licenses/BSD-3-Clause). This permission is granted for unlimited time.
This software is not subject to special information treatment according to Act No. 412/2005 Coll., as amended. In case that a person who will use the software under this licence offer violates the licence terms, the permission to use the software terminates.
Licenční podmínky v souladu s § 11 zákona č. 130/2002 Sb.
Tento software je výsledkem vědecko-výzkumných aktivit na Masarykově univerzitě. Vlastníkem výsledku je Masarykova univerzita, veřejná vysoká škola, IČ: 00216224. Masarykova univerzita tímto umožňuje jiným právnickým a fyzickým osobám tento software bezplatně a bez územního omezení využívat podle podmínek BSD licence (http://opensource.org/licenses/BSD-3-Clause). Toto oprávnění se poskytuje na dobu neurčitou.
Tento software nepodléhá zvláštnímu režimu nakládání s informacemi dle zákona č. 412/2005 Sb., v platném znění. V případě, že osoba, která bude užívat software na základě této nabídky licence, poruší uvedené licenční podmínky, zaniká její oprávnění software využívat.