Abstract
In this paper we analyze HTTP protocol parsers that provide a web traffic visibility to IP flow. Despite extensive work, flow meters generally fall short of performance goals due to extracting application layer data. Constructing effective protocol parser for in-depth analysis is a challenging and error-prone affair. We designed and evaluated several HTTP protocol parsers representing current state-of-the-art approaches used in today’s flow meters. We show the packet rates achieved by respective parsers, including the throughput decrease (performance implications of application parser) which is of the utmost importance for high-speed deployments. We believe that these results provide researchers and network operators with important insight into application visibility and IP flow.
Chapter PDF
Similar content being viewed by others
References
PCRE - Perl Compatible Regular Expressions (November 2012), http://www.pcre.org/
The GNU C Library (glibc) (December 2012), http://www.gnu.org/software/libc/
Bittel, J.: httpry - HTTP logging and information retrieval tool (April 2013), http://github.com/jbittel/httpry
Cisco Systems, Inc.: Application Visibility and Control (April 2013), http://www.cisco.com/go/avc
Deri, L.: nProbe: an Open Source NetFlow probe for Gigabit Networks. In: In Proc. of Terena TNC 2003 (2003)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard) (June 1999), http://www.ietf.org/rfc/rfc2616.txt , updated by RFCs 2817, 5785, 6266, 6585
Gehlen, V., Finamore, A., Mellia, M., Munafò, M.M.: Uncovering the big players of the web. In: Pescapè, A., Salgarelli, L., Dimitropoulos, X. (eds.) TMA 2012. LNCS, vol. 7189, pp. 15–28. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-28534-9_2
Inacio, C.M., Trammell, B.: YAF: Yet Another Flowmeter. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–16. USENIX Association, Berkeley (2010), http://dl.acm.org/citation.cfm?id=1924976.1924987
INVEA-TECH: FlowMon Exporter – Community Program (April 2013), http://www.invea-tech.com
Lesk, M.E., Schmidt, E.: Lex – a Lexical Analyzer Generator. Tech. rep., Bell Laboratories. Computing Science Technical Report No. 39 (1975)
Levine, J., John, L.: Flex & Bison, 1st edn. O’Reilly Media, Inc. (2009)
Mahanti, A., Williamson, C., Carlsson, N., Arlitt, M., Mahanti, A.: Characterizing the file hosting ecosystem: A view from the edge. Perform. Eval. 68(11), 1085–1102 (2011), http://dx.doi.org/10.1016/j.peva.2011.07.016
McNaughton, R., Yamada, H.: Regular Expressions and State Graphs for Automata. IRE Transactions on Electronic Computers, EC-9(1), 39–47 (1960)
Open Information Security Foundation: Suricata – network IDS, IPS and network security monitoring engine (April 2013), http://www.suricata-ids.org
Pang, R., Paxson, V., Sommer, R., Peterson, L.: Binpac: A yacc for Writing Application Protocol Parsers. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC 2006, pp. 289–300. ACM, New York (2006), http://doi.acm.org/10.1145/1177080.1177119
Paxson, V.: Bro: A system for detecting network intruders in real-time. Comput. Netw. 31(23-24), 2435–2463 (1999), http://dx.doi.org/10.1016/S1389-1286(99)00112-7
Qualys, Inc.: LibHTP – security-aware parser for the HTTP protocol (April 2013), http://github.com/ironbee/libhtp
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999), http://dl.acm.org/citation.cfm?id=1039834.1039864
Schneider, F., Agarwal, S., Alpcan, T., Feldmann, A.: The new web: Characterizing AJAX traffic. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 31–40. Springer, Heidelberg (2008), http://dl.acm.org/citation.cfm?id=1791949.1791955
Šíma T., Velan P., Čeleda P.: FlowMon - Plugins for HTTP Monitoring (April 2013), http://dior.ics.muni.cz/~velan/flowmon-input-http/
Torres, L., Magana, E., Izal, M., Morato, D.: Identifying sessions to websites as an aggregation of related flows. In: 2012 XVth International Telecommunications Network Strategy and Planning Symposium (NETWORKS), pp. 1–6 (2012)
Torres, L.M., Magana, E., Izal, M., Morato, D.: Strategies for automatic labelling of web traffic traces. In: 37th Annual IEEE Conference on Local Computer Networks, pp. 196–199 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Velan, P., Jirsík, T., Čeleda, P. (2013). Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement. In: Bauschert, T. (eds) Advances in Communication Networking. EUNICE 2013. Lecture Notes in Computer Science, vol 8115. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40552-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-40552-5_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40551-8
Online ISBN: 978-3-642-40552-5
eBook Packages: Computer ScienceComputer Science (R0)