Design and Evaluation of HTTP Protocol Parsers for IPFIX - - PowerPoint PPT Presentation

design and evaluation of http protocol parsers for ipfix
SMART_READER_LITE
LIVE PREVIEW

Design and Evaluation of HTTP Protocol Parsers for IPFIX - - PowerPoint PPT Presentation

Jan 21, 2024 483 likes •727 views

Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement Petr Velan, Tom Jirsk, Pavel eleda {velan|jirsik|celeda}@ics.muni.cz 19th EUNICE Workshop on Advances in Communication Networking 28-30 August 2013, Chemnitz, Germany

slide-1
SLIDE 1

Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement

Petr Velan, Tomáš Jirsík, Pavel Čeleda

{velan|jirsik|celeda}@ics.muni.cz 19th EUNICE Workshop on Advances in Communication Networking 28-30 August 2013, Chemnitz, Germany

slide-2
SLIDE 2

Part I Introduction

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 2 / 19

slide-3
SLIDE 3

Motivation and R&D Goals – I

Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443

Well-known Ports Applications

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

slide-4
SLIDE 4

Motivation and R&D Goals – I

Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443

Well-known Ports Applications Today Applications

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

slide-5
SLIDE 5

Motivation and R&D Goals – I

Is NetFlow still sufficient? FTP 20/21 SSH 22 SMTP 25 HTTP 80 POP3 110 IMAP 143 HTTPS 443

Well-known Ports Applications Today Applications

HTTP - “new Transmission Control Protocol” - new TCP

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 3 / 19

slide-6
SLIDE 6

Motivation and R&D Goals – II

How to add application visibility to flow? Application labeling (protocol recognition) Application data (deep packet inspection) Use the best DPI parsers to extend the flow Speed and accuracy is the most important factor We set out to find the best parser for HTTP protocol

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 4 / 19

slide-7
SLIDE 7

Part II HTTP Parser

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 5 / 19

slide-8
SLIDE 8

General HTTP Parser Design

GET /wiki/Hypertext_Transfer_Protocol HTTP/1.1\r\n Host: en.wikipedia.org\r\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Accept-Language: cs,en-us;q=0.7,en;q=0.3\r\n Accept-Encoding: gzip, deflate\r\n Referer: http://cs.wikipedia.org/wiki/Hypertext_Transfer_Protocol\r\n Connection: keep-alive\r\n If-Modified-Since: Sat, 22 Jun 2013 17:32:12 GMT\r\n Cach-Control: max-age=0\r\n \r\n

Find one of HTTP, POST, GET, CONNECT, PUT, DELETE, HEAD, TRACE method Parse status code or URI Try to find matching header fields for User-Agent, Content-Type, Host, Referer End when double end of line (’\r\n’) is encountered

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 6 / 19

slide-9
SLIDE 9

Evaluated Parser Types

No application parser - L2 through L4 flow exporters

No HTTP - no special parser, reference measurement

String compare - nProbe, FlowMon

strcmp - hand-written parser standard version

  • ptimized strcmp - highly optimized hand-written parser

Regular expression - YAF

pcre - parser using Perl Compatible Regular Expressions

Finite automaton - our approach

flex - parser using flex generated finite automaton

  • ptimized flex - optimization of flex parser

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 7 / 19

slide-10
SLIDE 10

Flex Parser Schema

Initial HTTP Headers Not HTTP End

User-Agent Content-Type Referer Host H T T P EOF or \r\n\r\n Invalid character

  • r \r or \n

HTTP Protocol parsing Protocol labeling

H T T P R e s p

  • n

s e + s t a t u s c

  • d

e Method + URL HTTP Request I n v a l i d c h a r a c t e r

  • r

\ r

  • r

\ n Start Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 8 / 19

slide-11
SLIDE 11

Part III Experiment

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 9 / 19

slide-12
SLIDE 12

Measurement Setup

Hard Drive HTTP Dataset

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

slide-13
SLIDE 13

Measurement Setup

Hard Drive HTTP Dataset HTTP Parser

FlowMon Exporter

Memory

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

slide-14
SLIDE 14

Measurement Setup

Hard Drive HTTP Dataset HTTP Parser

FlowMon Exporter

Memory Packet Rate Measurement

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 10 / 19

slide-15
SLIDE 15

Measurement Setup II

Dataset HTTP request and response packets Data packets with binary payload Created data sets containing 0 - 100 % of HTTP packets Modified data packets with End of Line only at start and end Measurement 1) Throughput measurement 2) Parsed HTTP header fields impact 3) Packet content effect

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 11 / 19

slide-16
SLIDE 16

Part IV Results

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 12 / 19

slide-17
SLIDE 17

Throughput – 1500 B Snaplen

1 2 3 4 5 6 11 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Packets/s (x 106) no HTTP

  • ptimized strcmp

strcmp

  • ptimized flex

flex pcre

: Throughput for data with x % of HTTP header packets

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 13 / 19

slide-18
SLIDE 18

Throughput – 384 B Snaplen

1 2 3 4 5 6 12 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Packets/s (x 106) no HTTP

  • ptimized strcmp

strcmp

  • ptimized flex

flex pcre

: Throughput for data with x % of HTTP header packets

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 14 / 19

slide-19
SLIDE 19

Parsed HTTP Header Fields Impact

0.5 1 1.5 2 2.5 3 3.5 1 2 3 4 5 6 7 Packets/s (x 106)

  • ptimized strcmp

strcmp

  • ptimized flex

flex pcre

: An HTTP parser throughput for 1500 B packets; supported fields - (0) none - HTTP protocol labeling, (1) +host, (2) +method, (3) +status code, (4) +request URI, (5) +content type, (6) +referer, (7) +user agent

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 15 / 19

slide-20
SLIDE 20

Packet Content Effect - Strcmp Parser

1 2 3 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Packets/s (x 106) beginning end unchanged

: Packet content effect - packet length 1500 B.

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 16 / 19

slide-21
SLIDE 21

Part V Conclusion

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 17 / 19

slide-22
SLIDE 22

Conclusion

Summary Application data is required to ensure high level of security Fast parsing algorithms, throughput deterioration Hand-written parsers vs. generated parsers Future Work Extensibility - new protocols, more thorough inspection Increasing throughput - examine only necessary data Data processing - storage and evaluation

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 18 / 19

slide-23
SLIDE 23

Thank You For Your Attention! Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement

Petr Velan

velan@ics.muni.cz

Tomáš Jirsík

jirsik@ics.muni.cz

Pavel Čeleda

celeda@ics.muni.cz

HTTP

HTTP HTTP

IPFIX

IPFIX

IPFIX IPFIX IPFIX

IPFIX

Plugins for HTTP Monitoring

http://www.muni.cz/ics/920232/web/http-plugins

Petr Velan et al. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement 19 / 19