Log Bytes Send/Received (WEB TRAFFIC) in F5 via iRules or BIG-IP

Hi,

 

 

One way is to use tcpdump

 

 

But when i type tcpdump on my bigip i just see below informations:

 

 

btl-f5-prod-01.easynet.fr.32806 > sccp.4401

 

 

I can't display http traffic.

 

 

Does anyone can help me ?

 

Use HTTP::payload length in both events to log this information, or just log both in the response:

when HTTP_REQUEST {
  set request_length [HTTP::payload length]
}
when HTTP_RESPONSE {
  log local0. "Request Size: $request_length, Response Size: [HTTP::payload length]"
}

 

Hi,

 

I tried using "[HTTP::payload length]" in both HTTP_REQUEST and HTTP_RESPONSE . But the results obtained did not match with the IIS logs.

 

Please let me know if you have information on this

 

 

example

 

 

F5 logs :

 

 

May 25 12:10:24 tmm tmm[26111]: Rule getip : Client IP: 10.210.36.134 -> ClientPort: 2416 -> Domain: www.test22.de -> Method: GET -> Uri: /text.gif -> Host: www.test22.de -> Query: -> Connection: Keep-Alive -> Version: 1.1 -> Username: -> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Status: 200 -> Referer: https://www.test22.de/ -> AcceptLanguage: en-us -> AcceptEncoding: gzip, deflate -> LastModified: Mon, 05 Apr 2004 09:15:00 GMT -> Date: Fri, 25 May 2007 06:20:09 GMT -> RequestCookie: -> RequestCookieCount: 0 -> ResponseCookie: -> ResponseCookieCount: 0 -> TimeEstimate: 0 -> RequestPayLoadLength: 0 -> ResponsePayLoadLength: 1210

 

 

IIS logs:

 

 

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

 

2007-05-25 06:20:09 10.210.36.136 GET /text.gif - 80 - 10.210.36.159 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0 1698 294 109

 

 

The sc-bytes (Bytes sent)= 1698 and cs-bytes (Bytes Received)= 294 in the IIS logs is different from RequestPayLoadLength: 0 -> ResponsePayLoadLength: 1210 logged in FS logs

I think the discrepancy you're seeing is because the HTTP::payload length command is giving the bytes of the payload. It does not include the length of the headers. So you're seeing the length of the request as 0 because there were only headers in the request.

 

 

I can't think of a simple method for getting a length of the HTTP headers and data per request though. Maybe a statistics profile would help? Does anyone else have ideas?

 

 

Aaron

 

 

TCP::payload length would include the http headers and the http payload, if applicable.

Hey Citizen,

 

 

I was thinking the same thing, but then wouldn't you have to accumulate the entire payload for every request to get a valid result for TCP::payload?

 

 

Aaron

Good point. Would doing a string length on HTTP::request work? I'm grasping at straws, here... :-)

If it's HTTP, then you can likely use the Content-Length header that the browser and server send to indicate the total length of the upcoming payload.

when HTTP_REQUEST {
  set request_length [HTTP::header "Content-Length"]
}
when HTTP_RESPONSE {
  log local0. "Request Size: $request_length, Response Size: [HTTP::header Content-Length]"
}

-Joe

Yeah, I would think adding the HTTP::request and HTTP::payload would do it...

 

 

[expr [string length [HTTP::request] + [HTTP::payload]]

 

 

But there doesn't seem to be a way to get the response headers.

 

 

And Joe, I clients can send HTTP requests and servers can send responses with payloads without sending a Content-length (ie chunked encoded requests/responses). Also, the Content-Length headers don't include the HTTP header lengths.

 

 

Is there a way to get the HTTP response headers in one string, like HTTP::request for requests?

 

 

Aaron