The short answer is no.
The long answer....
DCRUM can't decrypt IPSec so will never be able to see the HTTP traffic.
Additionally, because IPSec is a tunnelling protocol, we won't even be able to distinguish the HTTP traffic from any other traffic that is also IPSec encrypted (the tunnel could be carrying anything else as well).
If it could be guaranteed only the HTTP traffic you were interested in was the only content of the tunnel, you could set up monitoring of the IPSec tunnel traffic. And report on it as if it were the HTTP traffic only. But you'd only see bytes/packets/and basic timing (round trip), no operations/pages would be possible.
Ulf raises a good point. I didn't consider all possible ways of deploying IPSec.
- IPSec VPN, remote users use IPSec for secure access into a corporate network, typically the VPN access point/router will terminate the IPSec and the rest of the network can be monitored as usual.
- IPSec WAN, corporate network protects it's inter-site Wide Area Network links with IPSec between routers, again the internal network (data centre) is fine to monitor. Much like the VPN option above.
- IPSec end-to-end, clients and servers negotiate all communications with IPSec protection, this one we can't do much about.
even in cases 1 and 2, the question remains valid I think.
I would like to be able to chart together the fact that the tunnel was broken, or being rekeyed/renegotiated and try to correlate this to client/server packet loss/retransmits/tcp_window events deeper down into the datacenter.