HTTP Parsers

The HTTP parser is a native parser that is used for Decoders to parse both requests and responses in HTTP messages. In version 11.4 and later, the HTTP parser provides a decompression option.

The decompression option mimics the decompression option in the Lua HTTP parser and is controlled by the 'decompression' option for the HTTP parser. Parser options are set in the /decoder/parsers/config/parsers.options configuration node. To set an option on the HTTP parser, you append an HTTP="" clause to the parsers.options field so that HTTP can understand the 'decompression' option.

For example, you could add HTTP="decompression=true" to the parser option list to enable decompression of all HTTP compressed bodies.

You can use the following values in the 'decompression' field.

Value Description Example Entry in parsers.options

true

Decompress all bodies HTTP="decompress=true"
false Do not decompress. This is the default. HTTP="decompress=false"

1

Decompress application/* content HTTP="decompress=1"
2 Decompress audio/* content HTTP="decompress=2"

4

Decompress font/* content

HTTP="decompress=4"

8 Decompress image/* content HTTP="decompress=8"

16

Decompress message/* content

HTTP="decompress=16"

32 Decompress model/* content HTTP="decompress=32"

64

Decompress text/* content

HTTP="decompress=64"

128 Decompress video/* content HTTP="decompress=128"

The numeric values can be combined by addition to search for multiple types of content. For example, if you want to decompress application and text content, use 1 + 64 = 65, which becomes HTTP="decompress=65".

To set the decompression option:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services and select a Decoder, and in the actions menu (netwitness_ic-actns.png), select View > Explore.
  2. Expland decoder > parsers and select config.
  3. In parsers.options, append HTTP="decompress=<option from table>".
  4. In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.

Visibility into HTTP/2 Sessions

You can search for metadata items derived from headers in the HTTP/2 stream to gain visibility into HTTP/2 sessions.

To turn on header parsing for HTTP/2 sessions:

  1. Go to ADMIN > Services and select a Decoder, and in the actions menu (netwitness_ic-actns.png), select View > Explore.
  2. Expland decoder > parsers and select config.
  3. In parsers.options, append HTTP2="headers=true".
  4. In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.