can I sort traffic by browser?

Answered Question
Mar 6th, 2009

all my network clients are configured to use a proxy server for their internet usage. I need to know who bypassed it in order to completely enforce it.

I want to see all traffic that come from the network via IE or Firefox

as step 1 I'd like to be able to see all HTTP connections going out on ports 80\443

step 2 would separate by source - IE or FF

is it doable?

Correct Answer by vikram_anumukonda about 7 years 11 months ago

regex user-agent1 "[Mm][Oo][Zz][Ii][Ll][Ll][Aa]"

regex user-agent2 "[Mm][Ss][Ii][Ee]"

!

class-map type regex match-any mozilla

match regex user-agent1

!

class-map type regex match-any ie

match regex user-agent2

!

class-map WEB

match port tcp eq www

policy-map type inspect http mozilla

parameters

match request header user-agent regex class mozilla

log

!

policy-map type inspect http ie

parameters

match request header user-agent regex class ie

log

!

policy-map global_policy

class WEB

inspect http mozilla

!

policy-map INSIDE

class WEB

inspect http ie

!

service-policy INSIDE interface inside

!

logging list TEST message 415008

!

logging on

logging trap TEST

logging host <> x.x.x.x

!

you might want to send these messages to syslog server and 415008 is the syslog message number generated when http header is matched and logging config is to send those messages to syslog server.

!

Keep this link, it might come handy as it gives you the complete break-up of a http request. _http://djce.org.uk/dumprequest

This is not a very optimal solution but will get you started.

HTH

vikram

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
vikram_anumukonda Fri, 03/06/2009 - 09:08

you can match the http (not https - as it is encrypted ) traffic based on the user-agent info from the http header ( i.e.., IE or FF) and then take an action like drop/log - But not sort.

HTH

Vikram

ofir@oscar Fri, 03/06/2009 - 09:11

how? is it possible to export that log to any kind of data file?

Correct Answer
vikram_anumukonda Fri, 03/06/2009 - 17:42

regex user-agent1 "[Mm][Oo][Zz][Ii][Ll][Ll][Aa]"

regex user-agent2 "[Mm][Ss][Ii][Ee]"

!

class-map type regex match-any mozilla

match regex user-agent1

!

class-map type regex match-any ie

match regex user-agent2

!

class-map WEB

match port tcp eq www

policy-map type inspect http mozilla

parameters

match request header user-agent regex class mozilla

log

!

policy-map type inspect http ie

parameters

match request header user-agent regex class ie

log

!

policy-map global_policy

class WEB

inspect http mozilla

!

policy-map INSIDE

class WEB

inspect http ie

!

service-policy INSIDE interface inside

!

logging list TEST message 415008

!

logging on

logging trap TEST

logging host <> x.x.x.x

!

you might want to send these messages to syslog server and 415008 is the syslog message number generated when http header is matched and logging config is to send those messages to syslog server.

!

Keep this link, it might come handy as it gives you the complete break-up of a http request. _http://djce.org.uk/dumprequest

This is not a very optimal solution but will get you started.

HTH

vikram

Actions

This Discussion