Is there any way to identify and mark packets based on their layer 7 protocol? Specifically, I want to identify all HTTP or HTTPS packets, regardless of the destination port used. Is this possible in Mikrotik?
Craig
think, only port based if default is used ports 447 and 80 if i recon’ correctly
You can use the content field to pick out pieces of the headers, ie:
GET /
or
HTTP/1.1
or
Server: Microsoft IIS
etc …
Sam
Thanks for that suggestion.
Can “content” use regular expressions, or is it simply a direct text match?
Craig
I believe it is just a text match … if it was using RegEx it would be way too slow to search every single packet.
Sam
I’ve briefly looked into matching HTTPS packets - everything appears to be binary only during a https/ssl transfer, so I am not sure if you can use a text match.
Has anyone done this?
Umm, it would completely defeat the point of https/ssl if you could do that.
The “s” in https (and the first “s” in ssl), stand for “secure”. I.e. encrypted, i.e. not readable by the guys in the middle.
So no, no one has done that (except perhaps some three letter agency).
–Eric
You might be able to identity what the ssl cert being used is, or some bytes at the beginning of the conversation that identify it as an ssl connection. Like eric said, you wouldn’t be able to capture it, but I think there is a way to identify it. If I have a few mins I will do some testing to see if it can be done with the content field.
Sam
Yes, I know that - but even the first request packet is binary (unencrypted) so you can’t even mark a SSL session.