Using REST API to Query pcap Data
The REST API is an alternative to using the CLI and Stellar to query the pcap data. The
purpose of this service is to provide a middle tier to negotiate retrieving packet capture
data that flows into HCP. This packet data is in a form that libpcap
-based
tools can read. The REST API exposes the query functionality via http.
This fixed filter is less expressive than the CLI/Stellar filter option. The fixed filter gives you the following values that you can filter on:
srcIp
srcPort
dstIp
dstPort
startTime
endTime
The fixed filter filters on explicit matches only so you cannot use any specialized functions or comparison operators. The query filter is far more expressive because it exposes Stellar, which enables the user to invoke specialized functions, use comparison operators, and perform boolean logic on the parameters.
You can start the fixed filter service either via the init.d
script
installed, /etc/init.d/pcapservice
or directly via the yarn jar
command:
yarn jar $METRON_HOME/lib/metron-api-$METRON_VERSION.jar org.apache.metron.pcapservice.rest.PcapService -port $SERVICE_PORT -query_hdfs_path $QUERY_PATH -pcap_hdfs_path $PCAP_PATH
where
METRON_HOME is the location of the metron installation
METRON_VERSION is the version of the metron installation
SERVICE_PORT is the port to bind the REST service to
QUERY_PATH is the temporary location to store query results. They are deleted after the service reads them.
PCAP_PATH is the path to the packet data on HDFS