• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
  • Home /
  • Public Forums /
  • Network Application Monitoring /
  • NAM Open Q&A /
avatar image
Question by Paulo M. · Feb 06, 2014 at 11:17 AM ·

Extracting client IP address

I'm trying to extract IP addresses for HTTP requests with the X-Forwarded-For HTTP header. How should I do it?

The documentation is very vague (to say the least). I couldn't figure out if I should set it as an Header regex or an Header tag.

 I've set this header regex, but I don't think it's doing anything with it:

%0d%0aX-Forwarded-For:%20\([^%0d%0a,]*\)

 

Comment

People who like this

0 Show 0
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

2 Replies

  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image

Answer by Paulo M. · Feb 07, 2014 at 05:37 AM

Thanks, Adam.

It's kind of what I gathered from HTTP Configuration Options for Selected User-Defined Software Services. But the example doesn't seem to match the explanation.

And what if there's more than one X-Forwarded-For HTTP header or the value is a comma separated list of IP addresses?

Comment

People who like this

0 Show 10 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Adam P. ♦♦ · Feb 07, 2014 at 06:24 AM 0
Share

If the value is not single IP address then using regex is the best way. By surrounding with round brackets part that contains desired IP and "covering" the rest with a regex it should be possible.

The case when we have two X-Forwarded-For field in HTTP header is rather not expected and we should first test it out before saying anything.

Do you have any example capture we can take a look at?

avatar image Paulo M. Adam P. ♦♦ · Feb 07, 2014 at 07:07 AM 0
Share

I haven't seen any request with multiple X-Forwarded-For HTTP headers (yet), but my colleague in charge of the proxies says that some misbehaved proxies might add extra  X-Forwarded-For HTTP headers instead of adding to an existing one.

What I've seen, is something like this:

GET ... HTTP/1.0
Accept: application/javascript, */*;q=0.8
Referer: ...
Accept-Language: pt-PT
User-Agent: ...
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 05 Mar 2013 18:39:42 GMT; length=13942
Cookie: ...
Host: ...
Via: 1.1 localhost (squid/3.1.6), 1.1 e1-escc:3131 (squid/2.7.STABLE9)
X-Forwarded-For: 10.253.122.38, 10.253.120.99
Cache-Control: max-age=0
Connection: keep-alive

So far, I've tried this header regex: %0d%0aX-Forwarded-For:%20\([^%0d%0a,]*\)

But I don't think it's working.

What am I doing wrong?

avatar image Adam P. ♦♦ Paulo M. · Feb 12, 2014 at 12:02 PM 0
Share

Let me know your version so we can test our best answer:

X-Forwarded-For: [^,]*, \(.*\)

to make sure it works well.

avatar image Paulo M. Adam P. ♦♦ · Feb 12, 2014 at 12:11 PM 0
Share

12.1.2

Your regex get's the first IP from a list of IPs. It doesn't account for when the  X-Forwarded-For only has one IP address.

avatar image Adam P. ♦♦ Paulo M. · Feb 12, 2014 at 12:33 PM 0
Share

Thank you for the version - I will test it and let you know.

avatar image Adam P. ♦♦ Adam P. ♦♦ · Feb 20, 2014 at 04:21 PM 0
Share

Verified on 12.1.2.

Regardless number of IPs, if you want to retrieve the last one, use:

X-Forwarded-For:.*([.0-9]*$).\n.*

In case you want to report the first one, use:

X-Forwarded-For: ([.0-9]*)
avatar image Paulo M. Adam P. ♦♦ · Feb 21, 2014 at 09:27 AM 0
Share

Does that mean that this documentation is wrong in more than one way?

avatar image Adam P. ♦♦ Paulo M. · May 20, 2014 at 02:42 PM 0
Share

Paulo,

I understand you mean that example:

GET http://www.slow-server.com/login.jsp HTTP/1.1
Accept: */*
Referer: http://www.slow-server.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.slow-server.com
Connection: Keep-Alive
Cookie: FPB=061j8hura11q56cv; CRZY9=t=1;
REMOTE_ADDR: 10.1.0.2

does not mean the explanation:

The following regular expression extracts the address 10.1.0.2 from the REMOTE_ADDR field:
%0d%0aREMOTE_ADDR:%20\([^%0d%0a]*\)%0d%0a
The expression must contain a single sub-expression delimited by pairs of characters “\(” and “\)”. The expression in this example states that the search string should start at the beginning of a header line and end at the end of the line (note the use of % to denote the hex values of the carriage return and line feed characters). The line should start with the string “REMOTE_ADDR:”. The sub-expression to extract is a string of characters different than ASCII CR or LF, and it should occur after the space following “REMOTE_ADDR:” 

Would you please help me understand in what way it's not matching?

Or maybe I misunderstood your question?

avatar image Paulo M. Adam P. ♦♦ · May 30, 2014 at 06:35 PM 0
Share

According to the documentation, it should be:

X-Forwarded-For:%20\([.0-9]*\)
avatar image Adam P. ♦♦ Paulo M. · Jun 09, 2014 at 02:03 PM 0
Share

You're right - the documentation is wrong about it. We will make sure it will be corrected.

avatar image

Answer by Adam P. · Feb 07, 2014 at 04:26 AM

Paulo,

If X-Forwarded-For HTTP field contains just IP address it's recommended to use Header tag as it introduce less load to the AMD than using other options. Also it's recommended to do it within particular Software Service than globally:

Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

How to get started

First steps in the forum
Read Community User Guide
Best practices of using forum

NAM 2019 SP5 is available


Check the RHEL support added in the latest NAM service pack.

Learn more

LIVE WEBINAR

"Performance Clinic - Monitoring as a Self Service with Dynatrace"


JANUARY 15, 3:00 PM GMT / 10:00 AM ET

Register here

Follow this Question

Answers Answers and Comments

2 People are following this question.

avatar image avatar image

Forum Tags

esm siebel Dynatrace Managed license nam probe wan citrix dna rest api configuration mq alerting NAM 2018 dashboard dcrumadvisory reports css nam universal decode database mobileapp RUM ads sap nam console scripting nam server sequence transactions nam 2019 upgrade
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A