Dears, First off, interesting discussion. Under the assumption we speak libpcap and not NetFlow/IPFIX, I confirm, as it was already clear from Slava and Chris emails, that there is nothing built-in to do this in pmacct.
I see two possible avenues for this: a) go the classification way, ie. most probably write a binary classifier (*) since regex would not help with binary protocols (i've read DNS also) and is overall pretty limiting. A new primitive, of type string, should be defined to contain, say, URLs or DNS data. b) Slightly expand and leverage the aggregate_primitives framework, active for libpcap and NetFlow/ IPFIX. See at this propo "examples/primitives.lst" (last couple of examples) in the pmacct distribution tarball. The part to expand is the support for variable-length jumps. I'm happy to support on this (so for example to facilitate where to start, how to make things consistent to the rest, etc.) but somebody has to take the actual development, which is non trivial but does not look like crazy amount either, on him - and hopefully contribute it back to the community. Look forward at your thoughts. Cheers, Paolo (*) http://www.pmacct.net/classification/pmacct-classifiers-20060321.tar.gz On Sat, Mar 22, 2014 at 08:18:01PM +0000, Chris Wilson wrote: > Hi all, > > On Sat, 22 Mar 2014, Viacheslav Dubrovskyi wrote: > >22.03.2014 21:20, Stathis Gkotsis пишет: > >>First, I would like to thank you for the great product, pmacct > >>has proven very useful to me, which brings me to my question :) > >>I see that it is possible to enable traffic classification, > >>which is about detecting L7 protocol. I am particularly > >>interested in HTTP and also outputting the hostname or url, e.g. > >>in exports via the print module. Is this somehow possible? > > > >IMHO better use special tools https://github.com/jbittel/httpry > > I'm also interested in this. Even if it's captured by a separate > tool (and I'm not sure why it couldn't be integrated with pmacct's > L7 classifiers) I would really like to be able to log http and https > hostnames of connections, and correlate them with flows recorded by > pmacct and DNS requests and responses. > > It's not clear that httpry can log the source and destination host > and port at all, let alone store it in a SQL database (no sample > output is provided), and presumably it does nothing with https. > > Cheers, Chris. > -- > Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838 > Citylife House, Sturton Street, Cambridge, CB1 2QF, UK > > Aptivate is a not-for-profit company registered in England and Wales > with company number 04980791. > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
