2 * Netgrind -- HTTP Analyser
4 * (c) 2003--2013 Martin Mares <mj@ucw.cz>
6 * This software may be freely distributed and used according to the terms
7 * of the GNU General Public License.
13 #include "lib/pools.h"
14 #include "netgrind/pkt.h"
15 #include "netgrind/netgrind.h"
21 #include <netinet/in.h>
34 HTTP_IDLE, /* initialized, waiting for request */
35 HTTP_ERROR, /* protocol error, ignoring everything else */
36 HTTP_CUT, /* unexpected EOF in one direction, ignoring everything else */
37 HTTP_REQUEST, /* parsing request */
38 HTTP_BODY_CHUNKED, /* receiving body: chunked encoding */
39 HTTP_BODY_LENGTH, /* receiving body: length given */
40 HTTP_BODY_INF, /* receiving body: till EOF */
41 HTTP_RESPONSE, /* parsing response */
42 HTTP_DONE, /* transaction finished, logging it */
43 HTTP_CONNECT, /* inside CONNECT transaction */
46 u64 req_start_time, resp_start_time;
49 list tx_queue, rx_queue;
50 byte *req_line, *resp_line;
51 list req_headers, resp_headers;
65 static void http_open(struct flow *f, u64 when)
67 static int http_counter;
68 struct http_state *s = xmalloc_zero(sizeof(*s));
71 s->id = http_counter++;
72 DBG("HTTP: %d NEW %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n", s->id,
73 IPQUAD(f->saddr), ntohs(f->sport), IPQUAD(f->daddr), ntohs(f->dport));
74 list_init(&s->tx_queue);
75 list_init(&s->rx_queue);
76 s->req_start_time = when;
79 static byte *http_lookup_hdr(list *l, byte *name)
81 struct http_header *h;
83 if (!strcasecmp(h->name, name))
88 static uns find_token(byte *hay, byte *needle)
94 if (*hay == ' ' || *hay == '\t' || *hay == ',')
99 while (*hay && *hay != ',' && *hay != ' ' && *hay != '\t')
103 uns found = !strcasecmp(h, needle);
112 static void http_log_start(struct http_state *s)
117 char name[256], stamp[TIMESTAMP_LEN];
118 struct flow *f = s->flow;
120 sprintf(name, "%s/%06u-%d.%d.%d.%d:%d-%d.%d.%d.%d:%d", http_log_dir, s->id,
121 IPQUAD(f->saddr), ntohs(f->sport), IPQUAD(f->daddr), ntohs(f->dport));
122 if (!(s->log_file = fopen(name, "w")))
123 die("Unable to create %s: %m", name);
125 format_timestamp(stamp, s->req_start_time);
126 fprintf(s->log_file, "; [%s] From %d.%d.%d.%d:%d to %d.%d.%d.%d:%d (req %u)\n",
127 stamp, IPQUAD(f->saddr), ntohs(f->sport), IPQUAD(f->daddr), ntohs(f->dport),
131 static void http_log_end(struct http_state *s)
139 static void http_log_req_line(struct http_state *s, byte *line)
142 fprintf(s->log_file, "> %s\n", line);
145 static void http_log_resp_line(struct http_state *s, byte *line)
148 fprintf(s->log_file, "< %s\n", line);
151 static void http_log_body(struct http_state *s, byte *data, uns len)
154 fwrite(data, len, 1, s->log_file);
157 static void http_report(struct flow *f, struct http_state *s, u64 when, byte *reason)
159 byte *method, *url, *x, *y, *stat;
161 if (!(method = s->req_line))
167 /* Analyse request line */
169 while (*url && *url != ' ')
178 /* Analyse response line */
179 if (stat = s->resp_line)
181 while (*stat && *stat != ' ')
186 while (*x && *x != ' ')
193 reason = stat[0] ? stat : (byte*)"???";
195 /* Reconstruct full URL */
196 if (!strstr(url, "://") && strcasecmp(method, "CONNECT"))
198 if (!(x = http_lookup_hdr(&s->req_headers, "Host:")))
201 url = alloca(7 + strlen(x) + strlen(y) + 1);
202 sprintf(url, "http://%s%s", x, y);
204 char *ffor = http_lookup_hdr(&s->req_headers, "X-Forwarded-For:");
206 /* Find out cacheability */
207 byte *rq_pragma = http_lookup_hdr(&s->req_headers, "Pragma:");
208 byte *rp_pragma = http_lookup_hdr(&s->resp_headers, "Pragma:");
209 byte *rq_cc = http_lookup_hdr(&s->req_headers, "Cache-control:");
210 byte *rp_cc = http_lookup_hdr(&s->resp_headers, "Cache-control:");
211 byte *rp_cache = http_lookup_hdr(&s->resp_headers, "X-Cache:");
212 uns rq_cflag, rp_cflag, rp_hit;
213 if (find_token(rq_pragma, "no-cache") || find_token(rq_cc, "no-cache"))
215 else if (find_token(rq_cc, "max-age=0") || find_token(rq_cc, "must-revalidate"))
219 if (find_token(rp_pragma, "no-cache") || find_token(rp_cc, "no-cache"))
221 else if (find_token(rp_cc, "private"))
223 else if (find_token(rp_cc, "no-store"))
225 else if (find_token(rp_cc, "must-revalidate"))
231 else if (!strncmp(rp_cache, "HIT ", 4))
233 else if (!strncmp(rp_cache, "MISS ", 5))
238 byte stamp[TIMESTAMP_LEN], src[22], dst[22];
239 sprintf(src, "%d.%d.%d.%d:%d", IPQUAD(f->saddr), ntohs(f->sport));
240 sprintf(dst, "%d.%d.%d.%d:%d", IPQUAD(f->daddr), ntohs(f->dport));
241 format_timestamp(stamp, s->req_start_time);
242 u64 ttotal = when - s->req_start_time;
243 u64 tresp = (s->resp_line ? (s->resp_start_time - s->req_start_time) : 0);
244 byte *ctype = (http_lookup_hdr(&s->resp_headers, "Content-type:") ? : http_lookup_hdr(&s->req_headers, "Content-type:")) ? : (byte*)"-";
246 if (sep = strchr(ctype, ';'))
249 printf("# id timestamp source destination forwarded-for res cac que length total time wait time ctype method URL\n");
250 /* 000000 2003-06-06 22:53:38.642 81.27.194.19:1175 205.217.153.53:80 123.123.123.123 200 ... 0 14030 0.957 0.444 text/plain GET http://... */
251 printf("%06u %s %-21s %-21s %-15s %-3s %c%c%c %3d %8d %6d.%03d %6d.%03d %-12s %s %s\n",
252 s->id, stamp, src, dst, (ffor ? : "-"), reason,
253 rq_cflag, rp_cflag, rp_hit,
256 (uns)(ttotal/1000000), (uns)(ttotal%1000000)/1000,
257 (uns)(tresp/1000000), (uns)(tresp%1000000)/1000,
264 static void http_close(struct flow *f, int cause, u64 when)
266 struct http_state *s = f->appl_data;
267 DBG("HTTP: %d CLOSE in state %d (cause %d)\n", s->id, s->state, cause);
268 if (cause != CAUSE_CLOSE)
270 if (s->state != HTTP_IDLE)
273 sprintf(buf, "T%s", flow_cause_names_short[cause]);
274 http_report(f, s, when, buf);
281 http_report(f, s, when, "ERR");
284 http_report(f, s, when, "CUT");
287 http_report(f, s, when, "FIN");
292 pkt_flush_queue(&s->rx_queue);
293 pkt_flush_queue(&s->tx_queue);
299 static struct http_header *http_get_line(struct http_state *s, list *l)
303 struct pkt *p = list_head(l);
306 while (p->data < p->stop)
313 struct http_header *h = mp_alloc(s->pool, sizeof(*h) + s->line_len);
314 memcpy(h->buf, s->line, s->line_len);
315 h->buf[s->line_len] = 0;
316 h->name = h->value = NULL;
320 else if (s->line_len >= MAXLINE-1)
322 DBG("HTTP: Line too long!\n");
323 s->state = HTTP_ERROR;
327 s->line[s->line_len++] = c;
334 static int http_skip_body_bytes(struct http_state *s)
338 struct pkt *p = list_head(s->body_queue);
341 uns avail = pkt_len(p);
342 uns want = s->body_len;
343 uns go = MIN(avail, want);
344 http_log_body(s, p->data, go);
347 s->body_total_size += go;
358 static int http_have_input(list *l)
362 struct pkt *p = list_head(l);
372 static void http_init_xact(struct http_state *s)
374 list_init(&s->req_headers);
375 list_init(&s->resp_headers);
379 s->pool = mp_new(4096);
380 s->req_line = s->resp_line = NULL;
382 s->body_total_size = 0;
387 static void http_parse_hdr(list *l, struct http_header *h)
391 while (*x && *x != ' ' && *x != '\t')
393 while (*x == ' ' || *x == '\t')
396 list_add_tail(l, &h->n);
399 static int http_ask_body(struct http_state *s, list *hdr)
402 if (x = http_lookup_hdr(hdr, "Transfer-Encoding:"))
404 DBG("\tBody encoding: %s\n", x);
405 if (!strcasecmp(x, "chunked"))
407 s->state = HTTP_BODY_CHUNKED;
412 s->state = HTTP_ERROR;
414 else if (x = http_lookup_hdr(hdr, "Content-Length:"))
416 s->body_len = atol(x);
417 DBG("\tBody length: %d\n", s->body_len);
418 s->state = HTTP_BODY_LENGTH;
425 static void http_parse_req(struct http_state *s)
427 if (!strstr(s->req_line, " HTTP/1"))
429 DBG("\tNot a HTTP/1.x request!\n");
430 s->state = HTTP_ERROR;
432 else if (http_ask_body(s, &s->req_headers))
434 else if (!strncasecmp(s->req_line, "POST ", 4))
436 DBG("\tPOST with no request body, that smells!\n");
437 s->state = HTTP_BODY_INF;
441 DBG("\tNo request body, awaiting reply\n");
442 s->state = HTTP_RESPONSE;
444 s->body_queue = &s->tx_queue;
445 s->body_end_state = HTTP_RESPONSE;
448 static void http_parse_resp(struct http_state *s)
450 if (!strncasecmp(s->req_line, "HEAD ", 5))
452 DBG("\tHEAD has no body :)\n");
453 s->state = HTTP_DONE;
455 else if (http_ask_body(s, &s->resp_headers))
457 else if (!strncasecmp(s->req_line, "GET ", 4) && strstr(s->resp_line, " 200 "))
459 DBG("\tGET with no response body, that smells!\n");
460 s->state = HTTP_BODY_INF;
464 DBG("\tNo response body\n");
465 s->state = HTTP_DONE;
467 s->body_queue = &s->rx_queue;
468 s->body_end_state = HTTP_DONE;
471 static void http_input(struct flow *f, int dir, struct pkt *p)
473 struct http_state *s = f->appl_data;
474 struct http_header *h;
475 int fin_tx = (f->pipe[0].state == FLOW_FINISHED);
476 int fin_rx = (f->pipe[1].state == FLOW_FINISHED);
478 // DBG("dir=%d txf=%d rxf=%d len=%d\n", dir, fin_tx, fin_rx, pkt_len(p));
479 if (s->state == HTTP_ERROR || s->state == HTTP_CUT)
481 DBG("HTTP: %d DROPPING INPUT\n", s->id);
486 list_add_tail((dir ? &s->tx_queue : &s->rx_queue), &p->n);
489 DBG("HTTP: %d STATE %d\n", s->id, s->state);
493 if (fin_tx || !http_have_input(&s->tx_queue))
495 s->state = HTTP_REQUEST;
496 if (!s->req_start_time)
497 s->req_start_time = p->timestamp;
501 if (fin_tx || fin_rx)
503 if (!(h = http_get_line(s, &s->tx_queue)))
505 DBG("\t>> %s\n", h->buf);
506 http_log_req_line(s, h->buf);
511 s->req_line = h->buf;
514 http_parse_hdr(&s->req_headers, h);
518 case HTTP_BODY_LENGTH:
521 if (!http_skip_body_bytes(s))
523 DBG("\tEnd of body\n");
524 s->state = s->body_end_state;
526 case HTTP_BODY_CHUNKED:
531 if (!http_skip_body_bytes(s))
534 else if (s->body_trailer)
536 if (!(h = http_get_line(s, s->body_queue)))
540 DBG("\tEnd of chunk-encoded body\n");
541 s->state = s->body_end_state;
546 if (!(h = http_get_line(s, s->body_queue)))
548 if (sscanf(h->buf, "%x", &s->body_len) != 1)
551 s->body_len += 2; /* extra CRLF */
552 else /* last chunk */
558 http_skip_body_bytes(s);
561 DBG("\tEnd of FIN-delimited body\n");
562 s->state = s->body_end_state;
570 if (!(h = http_get_line(s, &s->rx_queue)))
572 DBG("\t<< %s\n", h->buf);
573 http_log_resp_line(s, h->buf);
578 s->resp_line = h->buf;
579 s->resp_start_time = p->timestamp;
582 http_parse_hdr(&s->resp_headers, h);
587 DBG("\tTransaction finished.\n");
588 if (!strncasecmp(s->req_line, "CONNECT ", 8))
590 s->state = HTTP_CONNECT;
593 http_report(f, s, p->timestamp, NULL);
594 s->state = HTTP_IDLE;
595 s->req_start_time = 0;
599 s->body_queue = &s->rx_queue;
600 http_skip_body_bytes(s);
602 s->body_queue = &s->tx_queue;
603 http_skip_body_bytes(s);
614 DBG("HTTP: %d ERROR: PROTOCOL VIOLATION\n", s->id);
615 s->state = HTTP_ERROR;
619 DBG("HTTP: %d ERROR: UNEXPECTED EOF\n", s->id);
623 struct appl_hooks appl_http = {