Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement

Size: px

Start display at page:

Download "Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement"

Kory West
5 years ago
Views:

1 Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan, Tomáš Jirsík, Pavel Čeleda {velan jirsik 19th EUNICE Workshop on Advances in Communication Networking August 2013, Chemnitz, Germany

2 Part I Introduction Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 2 / 19

3 Motivation and R&D Goals I Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 Well-known Ports Applications Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

Applications Today Applications Petr Velan

4 Motivation and R&D Goals I Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 Well-known Ports Applications Today Applications Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

5 Motivation and R&D Goals I Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443 Well-known Ports Applications Today Applications HTTP - new Transmission Control Protocol - new TCP Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

6 Motivation and R&D Goals II How to add application visibility to flow? Application labeling (protocol recognition) Application data (deep packet inspection) Use the best DPI parsers to extend the flow Speed and accuracy is the most important factor We set out to find the best parser for HTTP protocol Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 4 / 19

7 Part II HTTP Parser Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 5 / 19

8 General HTTP Parser Design GET /wiki/hypertext_transfer_protocol HTTP/1.1\r\n Host: en.wikipedia.org\r\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/ Firefox/23.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: cs,en-us;q=0.7,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Referer: Connection: keep-alive\r\n If-Modified-Since: Sat, 22 Jun :32:12 GMT\r\n Cach-Control: max-age=0\r\n \r\n Find one of HTTP, POST, GET, CONNECT, PUT, DELETE, HEAD, TRACE method Parse status code or URI Try to find matching header fields for User-Agent, Content-Type, Host, Referer End when double end of line ( \r\n ) is encountered Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 6 / 19

9 Evaluated Parser Types No application parser - L2 through L4 flow exporters No HTTP - no special parser, reference measurement String compare - nprobe, FlowMon strcmp - hand-written parser standard version optimized strcmp - highly optimized hand-written parser Regular expression - YAF pcre - parser using Perl Compatible Regular Expressions Finite automaton - our approach flex - parser using flex generated finite automaton optimized flex - optimization of flex parser Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 7 / 19

10 Flex Parser Schema Protocol labeling Start Initial HTTP Headers User-Agent Content-Type Referer Host Invalid character or \r or \n Not HTTP HTTP Request HTTP Response + status code Protocol parsing Method + URL Invalid character or \r or \n HTTP HTTP End EOF or \r\n\r\n Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 8 / 19

11 Part III Experiment Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 9 / 19

12 Measurement Setup Hard Drive HTTP Dataset Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

13 Measurement Setup FlowMon Exporter Hard Drive HTTP Dataset Memory HTTP Parser Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

14 Measurement Setup FlowMon Exporter Hard Drive HTTP Dataset Memory HTTP Parser Packet Rate Measurement Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

15 Measurement Setup II Dataset HTTP request and response packets Data packets with binary payload Created data sets containing % of HTTP packets Modified data packets with End of Line only at start and end Measurement 1) Throughput measurement 2) Parsed HTTP header fields impact 3) Packet content effect Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 11 / 19

16 Part IV Results Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 12 / 19

17 Throughput 1500 B Snaplen 11 Packets/s (x 10 6 ) no HTTP optimized strcmp strcmp optimized flex flex pcre 1 0 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% : Throughput for data with x % of HTTP header packets Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 13 / 19

18 Throughput 384 B Snaplen 12 Packets/s (x 10 6 ) no HTTP optimized strcmp strcmp optimized flex flex pcre 1 0 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% : Throughput for data with x % of HTTP header packets Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 14 / 19

19 Parsed HTTP Header Fields Impact Packets/s (x 10 6 ) optimized strcmp strcmp optimized flex flex pcre : An HTTP parser throughput for 1500 B packets; supported fields - (0) none - HTTP protocol labeling, (1) +host, (2) +method, (3) +status code, (4) +request URI, (5) +content type, (6) +referer, (7) +user agent Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 15 / 19

20 Packet Content Effect - Strcmp Parser 3 beginning end unchanged Packets/s (x 10 6 ) % 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% : Packet content effect - packet length 1500 B. Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 16 / 19

21 Part V Conclusion Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 17 / 19

22 Conclusion Summary Application data is required to ensure high level of security Fast parsing algorithms, throughput deterioration Hand-written parsers vs. generated parsers Future Work Extensibility - new protocols, more thorough inspection Increasing throughput - examine only necessary data Data processing - storage and evaluation Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 18 / 19

23 Thank You For Your Attention! Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan Tomáš Jirsík Pavel Čeleda HTTP HTTPHTTP IPFIX IPFIX IPFIX IPFIX IPFIX IPFIX Plugins for HTTP Monitoring Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 19 / 19

Identifying Operating System Using Flow-based Traffic Fingerprinting

Identifying Operating System Using Flow-based Traffic Fingerprinting Tomáš Jirsík, Pavel Čeleda {jirsik celeda}@ics.muni.cz Institute of Computer Science, Masaryk University EUNICE 2014 September, 1. 5.,