User Guide
Also available as:
PDF

Using REST API to Query pcap Data

The REST API is an alternative to using the CLI and Stellar to query the pcap data. The purpose of this service is to provide a middle tier to negotiate retrieving packet capture data that flows into HCP. This packet data is in a form that libpcap-based tools can read. The REST API exposes the query functionality via http.

This fixed filter is less expressive than the CLI/Stellar filter option. The fixed filter gives you the following values that you can filter on:

  • srcIp

  • srcPort

  • dstIp

  • dstPort

  • startTime

  • endTime

The fixed filter filters on explicit matches only so you cannot use any specialized functions or comparison operators. The query filter is far more expressive because it exposes Stellar, which enables the user to invoke specialized functions, use comparison operators, and perform boolean logic on the parameters.

You can start the fixed filter service either via the init.d script installed, /etc/init.d/pcapservice or directly via the yarn jar command:

yarn jar $METRON_HOME/lib/metron-api-$METRON_VERSION.jar org.apache.metron.pcapservice.rest.PcapService -port $SERVICE_PORT -query_hdfs_path $QUERY_PATH -pcap_hdfs_path $PCAP_PATH

where

  • METRON_HOME is the location of the metron installation

  • METRON_VERSION is the version of the metron installation

  • SERVICE_PORT is the port to bind the REST service to

  • QUERY_PATH is the temporary location to store query results. They are deleted after the service reads them.

  • PCAP_PATH is the path to the packet data on HDFS