Using CLI to Query pcap Data
You can search or filter the pcap data with one of the following command line tools:
Fixed filter option
Query filter option (Metron Stellar)
Both tools are executed by ${metron_home}/bin/pcap_query.sh
[fixed|query]
Note | |
---|---|
Because the output from a query can be very large, we recommend appending
|
You can filter or query for the following fields in the pcap data:
ip_scr_addr
ip_dst_addr
ip_src_port
ip_dst_port
protocol
timestamp
Fixed filter options:
-bop,--base_output_path <arg> Query result output path. Default is '/tmp'. -bp,--base_path <arg> Base PCAP data path. Default is '/apps/metron/pcap'. -da,--ip_dst_addr <arg> Destination IP address. -df,--date_format <arg> Date format to use for parsing start_time and end_time. Default is to use time in millis since the epoch. -dp,--ip_dst_port <arg> Destination port. -et,--end_time <arg> Packet end time range. Default is current system time. -nr,--num_reducers <arg> The number of reducers to use. Default is 10. -h,--help Display help. -ir,--include_reverse Indicates if filter should check swapped src/dest addresses and IPs. -p,--protocol <arg> IP Protocol. -rpf Maximum number of records per file. -sa,--ip_src_addr <arg> Source IP address. -sp,--ip_src_port <arg> Source port. -st,--start_time <arg> (required) Packet start time range.
Fixed filter examples:
$METRON_HOME/bin/pcap_query.sh fixed \ -st "20160617" \ -df "yyyyMMdd" \ -sa 192.168.138.158 \ -da 123.456.789.012 \ -sp 49197 \ -dp 80 \ -p 6 -rpf 500
Query filter options:
-bop,--base_output_path <arg> Query result output path. Default is '/tmp'. -bp,--base_path <arg> Base PCAP data path. Default is '/apps/metron/pcap'. -df,--date_format <arg> Date format to use for parsing start_time and end_time. Default is to use time in millis since the epoch. -et,--end_time <arg> Packet end time range. Default is current system time. -nr,--num_reducers <arg> The number of reducers to use. Default is 10. -h,--help Display help. -q,--query <arg> Query string to use as a filter. -rpf Maximum number of records per file. -st,--start_time <arg> (required) Packet start time range.
Query filter examples:
$METRON_HOME/bin/pcap_query.sh query \ -st "20160617" \ -df "yyyyMMdd" \ --query "ip_src_addr == '192.168.138.158' and ip_src_port == '49197' \ and ip_dst_addr == '123.456.789.012' and ip_dst_port == '80' \ and protocol == '6'" -rpf 500
$METRON_HOME/bin/pcap_query.sh query \ -st "1466136000000" \ --query "IN_SUBNET(ip_src_addr, '192.168.0.0/24') and ip_src_port == '49197' \ and ip_dst_addr == '123.456.789.012' and ip_dst_port == '80' \ and protocol == '6'" -rpf 500
# subnet function checks IP is in specified subnet --query "IN_SUBNET(ip_src_addr, '192.168.0.0/24') \ and ip_src_port == '49197' \ and ip_dst_addr == '123.456.789.012' \ and ip_dst_port == '80' \ and protocol == '6'"
# range queries on ports --query "ip_src_port <= 50000 and ip_dst_port >= 30000"
# range queries with conditionals and parens --query "(ip_src_port < 50000 and ip_src_port > 40000) \ or (ip_src_port < 20000 and ip_src_port > 10000)"
# in/not in list of values --query "ip_src_port < 10000 and ip_dst_port in ['54056', '54057', '8080']"