|
<< Click to Display Table of Contents >> Navigation: Event and Object Analysis > Capture Results Filtering > Filter Use Cases > Filtering Large HTTP Objects |
Sometimes very large objects are transferred via HTTP (file download, watching movies online). When too many such objects are transferred at the same time, Microolap EtherSensor may use a lot of RAM. As a result, the overall Microolap EtherSensor and the environment performance may degrade.
We need to use filters to block large HTTP objects and delete them before the analysis.
To delete large HTTP objects before full analysis (and before loading them into the memory for the analysis), we need to use an HTTP filter. To check the size of a HTTP request or response, we need to use "size" condition, which checks the size of the request and the response.
The HTTP filter file may look like this:
<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
<table name="main">
<rule enabled="1">
<comment>
The rule stops processing HTTP objects for which
the request or response size is greater than 1MB.
</comment>
<match>
<c name="size" op="gt" value="1M"/>
</match>
<action name="drop" />
</rule>
<rule enabled="true">
<action name="accept" />
</rule>
</table>
</filter>
For a detailed description of the "size" HTTP filtering condition, refer to "REQ-SIZE, RESP-SIZE, SIZE Condition" section.
1. Instead of the "size" rule, which checks both the request and response size, you can use "req-size" (to check only the size of the HTTP request) or "resp-size" (to check only the size of the HTTP response) conditions.