Hortonworks Docs » Hortonworks Cybersecurity Platform 1.8.0 » Querying PCAP Data Using Fixed Filter
Querying PCAP Data Using Fixed Filter
Also available as:
PDF

Using the CLI to Query pcap Data With the Fixed Filter Option

You can use the CLI to run both types of filter queries. When using the CLI with the fixed filter option, you can utilize more options that you can when using the PCAP panel user interface. For example, the PCAP panel user interface does not have an option to specify the number of reducers to use. The fixed filter filters PCAP data by the packet header. The filter runs on explicit matches only so you cannot use any specialized functions or comparison operators.

Execute the fixed filter option using the fixed option: 
$METRON_HOME/bin/pcap_query.sh fixed
You can query for the following fields in the PCAP data:
  • ip_scr_addr
  • ip_dst_addr
  • ip_src_port
  • ip_dst_port
  • protocol
  • timestamp
You can use the following fixed filter options:
-bop,--base_output_path <arg>
Query result output path. Default is /tmp.
-bp,--base_path <arg>
Base PCAP data path. Default is /apps/metron/pcap.
-da,--ip_dst_addr <arg>
Destination IP address.
-df,--date_format <arg>
Date format to use for parsing start_time and end_time. Default is to use time in millis since the epoch.
-dp,--ip_dst_port <arg>
Destination port.
-pf, --packet_filter <arg>
Packet filter regex.
-et,--end_time <arg>
Packet end time range. Default is current system time.
-ft,--finalizer_threads <arg>
Number of threads to use for the final output writing.
-nr,--num_reducers <arg>
The number of reducers to use. Default is 10.
-h,--help
Display help.
-ir,--include_reverse
Indicates if filter should check swapped src/dest addresses and IPs.
-p,--protocol <arg>
IP Protocol.
-rpf,--records_per_file <arg>
Maximum number of records per file.
-sa,--ip_src_addr <arg>
Source IP address.
-sp,--ip_src_port <arg>
Source port.
-st,--start_time <arg>
(required) Packet start time range.
-yq,--yarn_queue <arg>
Yarn queue this job will be submitted to.
For example:
$METRON_HOME/bin/pcap_query.sh fixed \
                                      -st "20160617" \
                                      -df "yyyyMMdd" \
                                      -sa 192.168.138.158 \
                                      -da 123.456.789.012 \
                                      -sp 49197 \
                                      -dp 80 \
                                      -p 6
                                      -rpf 500

To search for every packet that has an ip_dst_port of 8080 and contains the text "persist", run:

$METRON_HOME/bin/pcap_query.sh fixed \
          --ip_dst_port 8080 \
          --packet_filter \
          "\`persist\`" \
          -st "20170425" \
          -df "yyyyMMdd"
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community