can I sort traffic by browser?

Answered Question

all my network clients are configured to use a proxy server for their internet usage. I need to know who bypassed it in order to completely enforce it.

I want to see all traffic that come from the network via IE or Firefox

as step 1 I'd like to be able to see all HTTP connections going out on ports 80\443

step 2 would separate by source - IE or FF

is it doable?

Correct Answer by vikram_anumukonda about 8 years 3 months ago

regex user-agent1 "[Mm][Oo][Zz][Ii][Ll][Ll][Aa]"

regex user-agent2 "[Mm][Ss][Ii][Ee]"

!

class-map type regex match-any mozilla

match regex user-agent1

!

class-map type regex match-any ie

match regex user-agent2

!

class-map WEB

match port tcp eq www


policy-map type inspect http mozilla

parameters

match request header user-agent regex class mozilla

log

!

policy-map type inspect http ie

parameters

match request header user-agent regex class ie

log

!

policy-map global_policy

class WEB

inspect http mozilla

!

policy-map INSIDE

class WEB

inspect http ie

!

service-policy INSIDE interface inside

!

logging list TEST message 415008

!

logging on

logging trap TEST

logging host <> x.x.x.x

!

you might want to send these messages to syslog server and 415008 is the syslog message number generated when http header is matched and logging config is to send those messages to syslog server.

!

Keep this link, it might come handy as it gives you the complete break-up of a http request. _http://djce.org.uk/dumprequest


This is not a very optimal solution but will get you started.



HTH

vikram


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
vikram_anumukonda Fri, 03/06/2009 - 09:08
User Badges:
  • Bronze, 100 points or more

you can match the http (not https - as it is encrypted ) traffic based on the user-agent info from the http header ( i.e.., IE or FF) and then take an action like drop/log - But not sort.


HTH

Vikram


Correct Answer
vikram_anumukonda Fri, 03/06/2009 - 17:42
User Badges:
  • Bronze, 100 points or more

regex user-agent1 "[Mm][Oo][Zz][Ii][Ll][Ll][Aa]"

regex user-agent2 "[Mm][Ss][Ii][Ee]"

!

class-map type regex match-any mozilla

match regex user-agent1

!

class-map type regex match-any ie

match regex user-agent2

!

class-map WEB

match port tcp eq www


policy-map type inspect http mozilla

parameters

match request header user-agent regex class mozilla

log

!

policy-map type inspect http ie

parameters

match request header user-agent regex class ie

log

!

policy-map global_policy

class WEB

inspect http mozilla

!

policy-map INSIDE

class WEB

inspect http ie

!

service-policy INSIDE interface inside

!

logging list TEST message 415008

!

logging on

logging trap TEST

logging host <> x.x.x.x

!

you might want to send these messages to syslog server and 415008 is the syslog message number generated when http header is matched and logging config is to send those messages to syslog server.

!

Keep this link, it might come handy as it gives you the complete break-up of a http request. _http://djce.org.uk/dumprequest


This is not a very optimal solution but will get you started.



HTH

vikram


Actions

This Discussion