Breaking out all metrics in a transaction


#1

Writing effective triggers is just as much about knowing what information is available as it is executing on that information effectively. Without breaking out Wireshark, we can build off of tools like Noreaster’s post on breaking out HTTP headers. The following can print out all the automatically parsed metrics tied to a transaction.

NOTE: THIS IS NOT OPTIMIZED. DO NOT APPLY TO PRODUCTION SYSTEMS

The trigger is currently configured for HTTP events, but can easily be reconfigured for any ExtraHop metrics by replacing the HTTP in the following with other metric keys (DB, CIFS, ICA, etc). The delimiter is also configurable, in the case where the pipe character may be expected output.

for (key in HTTP) {

msg += delim + key + ’ : ’ + HTTP[key];

// HTTP_REQUEST, HTTP_RESPONSE
var delim = ' | ';

var msg = 'Event : ' + event;
msg += delim+'ServerMAC : '+Flow.server.device.hwaddr+delim+'ClientMAC : '+Flow.client.device.hwaddr;

for (key in HTTP) {
    try {
        msg += delim + key + ' : ' + HTTP[key];
    } catch(err) {}
}

log(msg);

#2

Nice one. Another option might be to construct a Javascript object using the properties of interest, and then doing a JSON.stringify() on the object. Then, just paste the logged result into your JSON viewer of choice to see the result in a nice, viewable format.

Example:

var httpReq = { 
    "headers":HTTP.headers,
    "size":HTTP.reqSize,
    "origin":HTTP.origin,
    "referrer":HTTP.referer
};
log( JSON.stringify( httpReq ) );

Result:

{“headers”:{“0”:{“name”:“Host”,“value”:“www.extrahop.com”},“1”:{“name”:“Accept”,“value”:"/"},“2”:{“name”:“Referer”,“value”:“http://www.extrahop.com/"},“3”:{“name”:“Accept-Language”,“value”:“en-US,en;q=0.8”},“4”:{“name”:“Cookie”,“value”:"vt=OGJjYjlmMmM3NGZhZTc0ZTg1NWVjNzc4MGJlMjVkY2U%3D; PHPSESSID=xxxxxx; lf1.acr=self-paced%20online%20course; __utma=175551478.1264854491.1384785691.1384785691.1384785691.1; __utmc=175551478; __utmz=175551478.1384785691.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=2744164-1426ba8c3e7-52e216db-3; __ar_v4=JROAYGWLFZEDBOZDEYE2EQ%3A20131118%3A3%7CMP743O535VHD3J55KTWSHA%3A20131118%3A3%7CNDG3XKYG5RFJNDPR2FA2AN%3A20131118%3A3”},“5”:{“name”:“Connection”,“value”:“Keep-alive”},“6”:{“name”:“X-Forwarded-For”,“value”:“141.133.3.168”},“7”:{“name”:“X-Pss-Loop”,“value”:“pagespeed_proxy”},“8”:{“name”:“Accept-Encoding”,“value”:“gzip,deflate”},“9”:{“name”:“User-Agent”,“value”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36”}},“size”:0,“origin”:{“hostNames”:[],“isV4”:true,“isV6”:false,“isLinkLocal”:false,“isBroadcast”:false,“isMulticast”:false,“isRFC1918”:false},“referrer”:“http://www.extrahop.com/”}

Then, simply copy/paste into your favorite JSON viewer: