decodehttp
Decodes HTTP request/response pairs from Ethernet frames, extracting the method, host, path, status code, bytes transferred, and other data.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
payload | binary | Required | Ethernet frame data. If the field is not binary type, the input record is passed through as-is. |
Output fields
| Field | Type | Description |
|---|---|---|
src_ip | ipaddr | Client IP address |
src_port | integer | Client port number |
dst_ip | ipaddr | Server IP address |
dst_port | integer | Server port number |
method | string | HTTP method: GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE, CONNECT |
host | string | Value of the Host header in the HTTP request |
path | string | HTTP request path |
status | string | HTTP response status code (for example: 200, 404, 500) |
sent | long | Content size sent by the client in bytes |
rcvd | long | Content size sent by the server in bytes |
req_time1 | long | HTTP request start time (epoch milliseconds) |
req_time2 | long | HTTP request end time (epoch milliseconds) |
res_time1 | long | HTTP response start time (epoch milliseconds) |
res_time2 | long | HTTP response end time (epoch milliseconds) |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The decodehttp command reads an Ethernet frame from the payload field of each input record and decodes HTTP request/response pairs over TCP. If the payload field is not binary type, the input record is passed through to the next command unchanged.
When an HTTP request and response are completed as a pair, one output record is generated. From the request, the method, host, path, and bytes sent are extracted; from the response, the status code and bytes received are extracted. The start and end times of each request and response are recorded in milliseconds, enabling response time analysis.
TCP sessions are renewed every second, and the previous session state is reset when the time changes.
Examples
-
Decoding HTTP traffic from a PCAP file
pcapfile /opt/logpresso/http-capture.pcap | decodehttpDecodes HTTP request/response pairs from Ethernet frames read from a PCAP file.
-
Aggregating requests by HTTP method
pcapfile /opt/logpresso/http-capture.pcap | decodehttp | stats count by methodAggregates HTTP requests by method.
-
Retrieving the slowest requests
pcapfile /opt/logpresso/http-capture.pcap | decodehttp | eval response_time = res_time2 - req_time1 | sort -response_time | limit 10Retrieves the top 10 requests with the longest response times.
-
Filtering by specific status code
pcapfile /opt/logpresso/http-capture.pcap | decodehttp | search status == "500" | fields src_ip, host, path, statusFilters requests that returned an HTTP 500 response.