Hortonworks Cybersecurity Platform
Also available as:

Query pcap Data Using the Fixed Filter Option

You can search or filter the PCAP data by the packet header with the fixed filter command line tool.

The packet header filter is be specified via the -pf or --packet_filter options.

The fixed filter option tool is executed by ${metron_home}/bin/pcap_query.sh [fixed|query]

You can filter or query for the following fields in the PCAP data:

  • ip_scr_addr
  • ip_dst_addr
  • ip_src_port
  • ip_dst_port
  • protocol
  • timestamp

Fixed filter options:

 -bop,--base_output_path <arg>   Query result output path. Default is
 -bp,--base_path <arg>           Base PCAP data path. Default is
 -da,--ip_dst_addr <arg>         Destination IP address.
 -df,--date_format <arg>         Date format to use for parsing start_time
                                 and end_time. Default is to use time in
                                 millis since the epoch.
 -dp,--ip_dst_port <arg>         Destination port.
 -pf, --packet_filter <arg>      Packet filter regex
 -et,--end_time <arg>            Packet end time range. Default is current
                                 system time.
 -nr,--num_reducers <arg>        The number of reducers to use.  Default
                                 is 10.
 -h,--help                       Display help.
 -ir,--include_reverse           Indicates if filter should check swapped
                                 src/dest addresses and IPs.
 -p,--protocol <arg>             IP Protocol.
 -rpf                            Maximum number of records per file. 
 -sa,--ip_src_addr <arg>         Source IP address.
 -sp,--ip_src_port <arg>         Source port.
 -st,--start_time <arg>          (required) Packet start time range.

Fixed filter examples:

$METRON_HOME/bin/pcap_query.sh fixed \
                                      -st "20160617" \
                                      -df "yyyyMMdd" \
                                      -sa \
                                      -da 123.456.789.012 \
                                      -sp 49197 \
                                      -dp 80 \
                                      -p 6
                                      -rpf 500

To search for every packet that has an ip_dst_port of 8080 and contains the text "persist", run:

$METRON_HOME/bin/pcap_query.sh fixed \
          --ip_dst_port 8080 \
          --packet_filter \
          "\`persist\`" \
          -st "20170425" \
          -df "yyyyMMdd"