Hortonworks Cybersecurity Platform
Also available as:

Porting pcap Data to Another Application

You can port pcap data to another application using the libpcap-compliant pcap file.

When you user the pcap query utility to extract pcap data, the utility creates a libpcap-compliant pcap file in the current working directory.

[root@ip-10-0-0-53 0.3.0]# ls -l
total 72
drwxr-xr-x. 2 livy games  4096 Nov 22 22:36 bin
drwxr-xr-x. 3 livy games  4096 Nov 23 17:10 config
drwxr-xr-x. 2 livy games  4096 Sep 29 17:44 ddl
drwxr-xr-x. 6 livy games  4096 Aug 22 14:54 flux
drwxr-xr-x. 2 root root   4096 Nov 23 17:07 lib
drwxr-xr-x. 2 livy games  4096 Nov 22 22:36 patterns
-rw-r--r--. 1 root root  48506 Nov 23 18:06 pcap-data-20161123180607184+0000.pcap

[root@ip-10-0-0-53 0.3.0]# file pcap-data-20161123180607184+0000.pcap
pcap-data-20161123180607184+0000.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

You can open the libpcap-compliant pcap file with any third-party tool that supports the file type. For example, you can load Wireshark and choose File > Open. Wireshark will load the pcap file.

The content of the file will be similar to the following: