The PCAP panel user interface is ideally suited for the SOC analyst who is identifying
and investigating malicious events. You can use the PCAP panel to refine query information
provided by other UIs such as the Alerts or Kibana tools. The PCAP panel uses the fixed filter
option to query the PCAP data. The PCAP panel provides a graphical user interface to
explicitly define the parameters used in the query.
Display the Ambari user interface.
If you have not already done so, in the Services pane, select
Metron.
From the Quick Links menu, choose Alerts
UI.
From the Alerts UI, click the PCAP tab.
Use the date, IP information, and protocol fields to define the parameters of your
query, then click (search icon).
You can stop a job by clicking the X next to the job
progress bar.
From and To
The starting and end dates of your search.
The From field defaults to 5 days prior to current
date. The To field defaults to the current date and
time.
IP Source Address
The IP source address.
IP Source Port
The IP source port.
IP Dest Address
The IP destination address.
IP Dest Port
The IP destination port.
Protocol
The network protocol. This should be the string value of the protocol.
Include Reverse Traffic
Queries bi-directionally. Runs the query so that it swaps the order of the
query between IP Source address and Destination Address.
Filter
Allows you to run a binary regular expression.
Filtering can be done both by the packet header as well as with a binary
regular expression which can be run on the packet payload itself. This
filter can be specified with:
The -pf or --packet_filter options
for the fixed query filter
The BYTEARRAY_MATCHER(pattern, data) Stellar
function. The first argument is the regex pattern and the second
argument is the data. The packet data will be exposed by
thepacket variable in Stellar.
To download the PCAP filter data, click Download PCAP, then
specify where to save the data.