Using the CLI to Query pcap Data With the Fixed Filter Option
You can use the CLI to run both types of filter queries. When using the CLI with the fixed filter option, you can utilize more options that you can when using the PCAP panel user interface. For example, the PCAP panel user interface does not have an option to specify the number of reducers to use. The fixed filter filters PCAP data by the packet header. The filter runs on explicit matches only so you cannot use any specialized functions or comparison operators.
Execute the fixed filter option using the
fixed
option:
$METRON_HOME/bin/pcap_query.sh fixed
You can query for the following fields in the PCAP data:
ip_scr_addr
ip_dst_addr
ip_src_port
ip_dst_port
protocol
timestamp
You can use the following fixed filter options:
- -bop,--base_output_path <arg>
- Query result output path. Default is
/tmp
. - -bp,--base_path <arg>
- Base PCAP data path. Default is
/apps/metron/pcap
. - -da,--ip_dst_addr <arg>
- Destination IP address.
- -df,--date_format <arg>
- Date format to use for parsing start_time and end_time. Default is to use time in millis since the epoch.
- -dp,--ip_dst_port <arg>
- Destination port.
- -pf, --packet_filter <arg>
- Packet filter regex.
- -et,--end_time <arg>
- Packet end time range. Default is current system time.
- -ft,--finalizer_threads <arg>
- Number of threads to use for the final output writing.
- -nr,--num_reducers <arg>
- The number of reducers to use. Default is 10.
- -h,--help
- Display help.
- -ir,--include_reverse
- Indicates if filter should check swapped src/dest addresses and IPs.
- -p,--protocol <arg>
- IP Protocol.
- -rpf,--records_per_file <arg>
- Maximum number of records per file.
- -sa,--ip_src_addr <arg>
- Source IP address.
- -sp,--ip_src_port <arg>
- Source port.
- -st,--start_time <arg>
- (required) Packet start time range.
- -yq,--yarn_queue <arg>
- Yarn queue this job will be submitted to.
For example:
$METRON_HOME/bin/pcap_query.sh fixed \
-st "20160617" \
-df "yyyyMMdd" \
-sa 192.168.138.158 \
-da 123.456.789.012 \
-sp 49197 \
-dp 80 \
-p 6
-rpf 500
To search for every packet that has an ip_dst_port
of 8080 and
contains the text "persist", run:
$METRON_HOME/bin/pcap_query.sh fixed \
--ip_dst_port 8080 \
--packet_filter \
"\`persist\`" \
-st "20170425" \
-df "yyyyMMdd"