A core component of any network security program is analyzing raw data that is coming over the wire. This raw network data is captured in a format called Packet Capture (PCAP) or PCAP Next Generation (PCAPNG) and can be challenging to analyze because it is a binary format. One of the most common tools for analyzing PCAP data is called Wireshark. Even though Wireshark is a capable tool, it is limited in that it can only analyze data that fits in your system’s memory.
-- taken from “Learning Apache Drill” Book.
Drill can query a PCAP or PCAPNG file and retrieve fields including the following:
Protocol type (TCP/UDP)
Source/destination IP address Source/destination port
Source/destination MAC address
Date and time of packet creation
Packet length
TCP session number and flags
The packet data in binary form
Querying PCAP or PCAPNG requires no additional configuration settings, so out of the box, Drill installation can query them both.
The following table lists configuration attributes:
Attribute | Default Value | Description |
---|---|---|
stat | false | return the statistics data about the each pcapng file if true |
We plan to refactor the NG parser because of the pcapngdecoder
so bad to process huge pcapng file. (Neither efficient nor support parser packet as stream)