Query pcap Data Using the Fixed Filter Option
You can search or filter the PCAP data by the packet header with the fixed filter command line tool.
-pf
or
--packet_filter
options.The fixed filter option tool is executed by
${metron_home}/bin/pcap_query.sh [fixed|query]
You can filter or query for the following fields in the PCAP data:
- ip_scr_addr
- ip_dst_addr
- ip_src_port
- ip_dst_port
- protocol
- timestamp
Fixed filter options:
-bop,--base_output_path <arg> Query result output path. Default is '/tmp'. -bp,--base_path <arg> Base PCAP data path. Default is '/apps/metron/pcap'. -da,--ip_dst_addr <arg> Destination IP address. -df,--date_format <arg> Date format to use for parsing start_time and end_time. Default is to use time in millis since the epoch. -dp,--ip_dst_port <arg> Destination port. -pf, --packet_filter <arg> Packet filter regex -et,--end_time <arg> Packet end time range. Default is current system time. -nr,--num_reducers <arg> The number of reducers to use. Default is 10. -h,--help Display help. -ir,--include_reverse Indicates if filter should check swapped src/dest addresses and IPs. -p,--protocol <arg> IP Protocol. -rpf Maximum number of records per file. -sa,--ip_src_addr <arg> Source IP address. -sp,--ip_src_port <arg> Source port. -st,--start_time <arg> (required) Packet start time range.
Fixed filter examples:
$METRON_HOME/bin/pcap_query.sh fixed \ -st "20160617" \ -df "yyyyMMdd" \ -sa 192.168.138.158 \ -da 123.456.789.012 \ -sp 49197 \ -dp 80 \ -p 6 -rpf 500
To search for every packet that has an ip_dst_port of 8080 and contains the text "persist", run:
$METRON_HOME/bin/pcap_query.sh fixed \ --ip_dst_port 8080 \ --packet_filter \ "\`persist\`" \ -st "20170425" \ -df "yyyyMMdd"