Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement

  • Petr Velan
  • Tomáš Jirsík
  • Pavel Čeleda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8115)


In this paper we analyze HTTP protocol parsers that provide a web traffic visibility to IP flow. Despite extensive work, flow meters generally fall short of performance goals due to extracting application layer data. Constructing effective protocol parser for in-depth analysis is a challenging and error-prone affair. We designed and evaluated several HTTP protocol parsers representing current state-of-the-art approaches used in today’s flow meters. We show the packet rates achieved by respective parsers, including the throughput decrease (performance implications of application parser) which is of the utmost importance for high-speed deployments. We believe that these results provide researchers and network operators with important insight into application visibility and IP flow.


HTTP protocol parser traffic measurement flow IPFIX 


  1. 1.
    PCRE - Perl Compatible Regular Expressions (November 2012),
  2. 2.
    The GNU C Library (glibc) (December 2012),
  3. 3.
    Bittel, J.: httpry - HTTP logging and information retrieval tool (April 2013),
  4. 4.
    Cisco Systems, Inc.: Application Visibility and Control (April 2013),
  5. 5.
    Deri, L.: nProbe: an Open Source NetFlow probe for Gigabit Networks. In: In Proc. of Terena TNC 2003 (2003)Google Scholar
  6. 6.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard) (June 1999),, updated by RFCs 2817, 5785, 6266, 6585
  7. 7.
    Gehlen, V., Finamore, A., Mellia, M., Munafò, M.M.: Uncovering the big players of the web. In: Pescapè, A., Salgarelli, L., Dimitropoulos, X. (eds.) TMA 2012. LNCS, vol. 7189, pp. 15–28. Springer, Heidelberg (2012), CrossRefGoogle Scholar
  8. 8.
    Inacio, C.M., Trammell, B.: YAF: Yet Another Flowmeter. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–16. USENIX Association, Berkeley (2010), Google Scholar
  9. 9.
    INVEA-TECH: FlowMon Exporter – Community Program (April 2013),
  10. 10.
    Lesk, M.E., Schmidt, E.: Lex – a Lexical Analyzer Generator. Tech. rep., Bell Laboratories. Computing Science Technical Report No. 39 (1975)Google Scholar
  11. 11.
    Levine, J., John, L.: Flex & Bison, 1st edn. O’Reilly Media, Inc. (2009)Google Scholar
  12. 12.
    Mahanti, A., Williamson, C., Carlsson, N., Arlitt, M., Mahanti, A.: Characterizing the file hosting ecosystem: A view from the edge. Perform. Eval. 68(11), 1085–1102 (2011), CrossRefGoogle Scholar
  13. 13.
    McNaughton, R., Yamada, H.: Regular Expressions and State Graphs for Automata. IRE Transactions on Electronic Computers, EC-9(1), 39–47 (1960)CrossRefGoogle Scholar
  14. 14.
    Open Information Security Foundation: Suricata – network IDS, IPS and network security monitoring engine (April 2013),
  15. 15.
    Pang, R., Paxson, V., Sommer, R., Peterson, L.: Binpac: A yacc for Writing Application Protocol Parsers. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC 2006, pp. 289–300. ACM, New York (2006), Google Scholar
  16. 16.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Comput. Netw. 31(23-24), 2435–2463 (1999), Scholar
  17. 17.
    Qualys, Inc.: LibHTP – security-aware parser for the HTTP protocol (April 2013),
  18. 18.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999), Google Scholar
  19. 19.
    Schneider, F., Agarwal, S., Alpcan, T., Feldmann, A.: The new web: Characterizing AJAX traffic. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 31–40. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  20. 20.
    Šíma T., Velan P., Čeleda P.: FlowMon - Plugins for HTTP Monitoring (April 2013),
  21. 21.
    Torres, L., Magana, E., Izal, M., Morato, D.: Identifying sessions to websites as an aggregation of related flows. In: 2012 XVth International Telecommunications Network Strategy and Planning Symposium (NETWORKS), pp. 1–6 (2012)Google Scholar
  22. 22.
    Torres, L.M., Magana, E., Izal, M., Morato, D.: Strategies for automatic labelling of web traffic traces. In: 37th Annual IEEE Conference on Local Computer Networks, pp. 196–199 (2012)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Petr Velan
    • 1
  • Tomáš Jirsík
    • 1
  • Pavel Čeleda
    • 1
  1. 1.Institute of Computer ScienceMasaryk UniversityBrnoCzech Republic

Personalised recommendations