Querying PCAP Data Using Fixed Filter
Also available as:
PDF

Capturing pcap Data

In your production environment there is likely to be one or more hosts configured with one or more span ports that receives raw packet data from a packet aggregation device. You can use one of HCP's packet capture programs to capture the pcap data; pycapa and DPDK. These programs are responsible for capturing the raw packet data off the wire and sending that data to Kafka where it can be ingested by HCP.

The following example uses Pycapa.

service pycapa start

If everything worked correctly, the raw packet data can be consumed from a Kafka topic called pcap. The data is binary.

$ /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh -z zookeeper1:2181 --topic pcap
E)���>K������P�"ssLQlJ
                      P��0
E(  �@��x����>K���"PQlJ
                           ssLPF�