I want to know if there is a way to monitor the size and time taken for an HTTP request in a TLS transaction using a proxy or other network traffic inspection tool. Note that I do not want to inspect the content of request or response. However, I just want to know the number of HTTP requests, and time and size for each request.
2 Answers
HTTP/1.x traffic consists of a single request followed by a single response inside a TCP or TLS connection. There can be multiple requests and matching responses inside the same connection but typically a new request is only sent once the response is received fully. With this in mind you can do a flow analysis, i.e. look at records of type application_data and analyse in which direction they are sent (i.e. request or response) and how many bytes they transport. From this you can easily distinguish requests and responses even if the traffic is encrypted. You will also get the size of requests and response, although not the exact number of bytes but a close value.
While this described typical HTTP/1.x traffic there can be some less common behavior. Some clients use HTTP pipelining where request are already send before the previous response is received. Due to this message boundaries (i.e. end of request and response) are harder or impossible to detect. This is also true with HTTP/2 traffic where multiple requests and responses are interleaved inside the same TLS connection. And then there are Websockets which provide a bidirectional data exchange after the initial request and response pair. Depending on the kind of data exchange this might look similar to request and response or to be completely different.
- 184,332
- 29
- 363
- 424
-
Thanks, this clears certain things. While I can do this by running tcpdump and inspecting it using a tool such as wireshark, do you know if it can be done using a web proxy such as squid? – user1743182 May 25 '17 at 20:18
-
@user1743182: I don't think that squid gives you a way to do flow analysis on encrypted traffic and most other proxies probably will not do this either. This is simply not the use case they are designed for. – Steffen Ullrich May 25 '17 at 20:21
-
Thanks for the info. Are there other tools apart from tcpdump that can help me do the above kind of analysis? – user1743182 Jun 03 '17 at 22:19
-
@user1743182: I don't think that there is a tool which already does exactly what you want so you need to write your own. Many programming languages provide bindings to libpcap or similar libraries which allow you to sniff traffic or process pcap files. – Steffen Ullrich Jun 04 '17 at 06:21
You need a network analyser such as wireshark. This will allow you to see this information. https://www.wireshark.org/
- 3,272
- 12
- 22
-
I can use wireshark or squid proxy to log HTTP requests for unencrypted traffic. However, what is the filter that I should use in wireshark for encrypted traffic? – user1743182 May 25 '17 at 20:10
-
-
I am still confused. How do I figure out HTTP requests from the filtered data? – user1743182 May 25 '17 at 20:22