|  | <!DOCTYPE html> | 
|  | <!-- | 
|  | | Generated by Apache Maven Doxia at 2017-02-23 | 
|  | | Rendered using Apache Maven Fluido Skin 1.3.0 | 
|  | --> | 
|  | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> | 
|  | <head> | 
|  | <meta charset="UTF-8" /> | 
|  | <meta name="viewport" content="width=device-width, initial-scale=1.0" /> | 
|  | <meta name="Date-Revision-yyyymmdd" content="20170223" /> | 
|  | <meta http-equiv="Content-Language" content="en" /> | 
|  | <title>Metron – Pycapa</title> | 
|  | <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" /> | 
|  | <link rel="stylesheet" href="../../css/site.css" /> | 
|  | <link rel="stylesheet" href="../../css/print.css" media="print" /> | 
|  |  | 
|  |  | 
|  | <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script> | 
|  |  | 
|  |  | 
|  |  | 
|  | <script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> | 
|  |  | 
|  | </head> | 
|  | <body class="topBarDisabled"> | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | <div class="container-fluid"> | 
|  | <div id="banner"> | 
|  | <div class="pull-left"> | 
|  | <a href="http://metron.incubator.apache.org/" id="bannerLeft"> | 
|  | <img src="../../images/metron-logo.png"  alt="Apache Metron - Incubating" width="148px" height="48px"/> | 
|  | </a> | 
|  | </div> | 
|  | <div class="pull-right">                  <a href="http://incubator.apache.org/" id="bannerRight"> | 
|  | <img src="../../images/ApacheIncubating_Logo.png"  alt="Apache Incubating" width="192px" height="48px"/> | 
|  | </a> | 
|  | </div> | 
|  | <div class="clear"><hr/></div> | 
|  | </div> | 
|  |  | 
|  | <div id="breadcrumbs"> | 
|  | <ul class="breadcrumb"> | 
|  |  | 
|  |  | 
|  | <li class=""> | 
|  | <a href="http://www.apache.org" class="externalLink" title="Apache"> | 
|  | Apache</a> | 
|  | </li> | 
|  | <li class="divider ">/</li> | 
|  | <li class=""> | 
|  | <a href="http://metron.incubator.apache.org/" class="externalLink" title="Metron-Incubating"> | 
|  | Metron-Incubating</a> | 
|  | </li> | 
|  | <li class="divider ">/</li> | 
|  | <li class=""> | 
|  | <a href="../../index.html" title="Documentation"> | 
|  | Documentation</a> | 
|  | </li> | 
|  | <li class="divider ">/</li> | 
|  | <li class="">Pycapa</li> | 
|  |  | 
|  |  | 
|  |  | 
|  | <li id="publishDate" class="pull-right">Last Published: 2017-02-23</li> <li class="divider pull-right">|</li> | 
|  | <li id="projectVersion" class="pull-right">Version: 0.3.1</li> | 
|  |  | 
|  | </ul> | 
|  | </div> | 
|  |  | 
|  |  | 
|  | <div class="row-fluid"> | 
|  | <div id="leftColumn" class="span3"> | 
|  | <div class="well sidebar-nav"> | 
|  |  | 
|  |  | 
|  | <ul class="nav nav-list"> | 
|  | <li class="nav-header">User Documentation</li> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../index.html" title="Metron"> | 
|  | <i class="icon-chevron-down"></i> | 
|  | Metron</a> | 
|  | <ul class="nav nav-list"> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../Upgrading.html" title="Upgrading"> | 
|  | <i class="none"></i> | 
|  | Upgrading</a> | 
|  | </li> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../metron-analytics/index.html" title="Analytics"> | 
|  | <i class="icon-chevron-right"></i> | 
|  | Analytics</a> | 
|  | </li> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../metron-deployment/index.html" title="Deployment"> | 
|  | <i class="icon-chevron-right"></i> | 
|  | Deployment</a> | 
|  | </li> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../metron-docker/index.html" title="Docker"> | 
|  | <i class="none"></i> | 
|  | Docker</a> | 
|  | </li> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../metron-platform/index.html" title="Platform"> | 
|  | <i class="icon-chevron-right"></i> | 
|  | Platform</a> | 
|  | </li> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../metron-sensors/index.html" title="Sensors"> | 
|  | <i class="icon-chevron-down"></i> | 
|  | Sensors</a> | 
|  | <ul class="nav nav-list"> | 
|  |  | 
|  | <li> | 
|  |  | 
|  | <a href="../../metron-sensors/fastcapa/index.html" title="Fastcapa"> | 
|  | <i class="none"></i> | 
|  | Fastcapa</a> | 
|  | </li> | 
|  |  | 
|  | <li class="active"> | 
|  |  | 
|  | <a href="#"><i class="none"></i>Pycapa</a> | 
|  | </li> | 
|  | </ul> | 
|  | </li> | 
|  | </ul> | 
|  | </li> | 
|  | </ul> | 
|  |  | 
|  |  | 
|  |  | 
|  | <hr class="divider" /> | 
|  |  | 
|  | <div id="poweredBy"> | 
|  | <div class="clear"></div> | 
|  | <div class="clear"></div> | 
|  | <div class="clear"></div> | 
|  | <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> | 
|  | <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" /> | 
|  | </a> | 
|  | </div> | 
|  | </div> | 
|  | </div> | 
|  |  | 
|  |  | 
|  | <div id="bodyColumn"  class="span9" > | 
|  |  | 
|  | <h1>Pycapa</h1> | 
|  | <p><a name="Pycapa"></a></p> | 
|  | <div class="section"> | 
|  | <h2><a name="Overview"></a>Overview</h2> | 
|  | <p>Pycapa performs network packet capture, both off-the-wire and from Kafka, which is useful for the testing and development of <a class="externalLink" href="https://github.com/apache/incubator-metron">Apache Metron</a>. It is not intended for production use. The tool will capture packets from a specified interface and push them into a Kafka Topic.</p></div> | 
|  | <div class="section"> | 
|  | <h2><a name="Installation"></a>Installation</h2> | 
|  |  | 
|  | <div class="source"> | 
|  | <div class="source"> | 
|  | <pre>pip install -r requirements.txt | 
|  | python setup.py install | 
|  | </pre></div></div></div> | 
|  | <div class="section"> | 
|  | <h2><a name="Usage"></a>Usage</h2> | 
|  |  | 
|  | <div class="source"> | 
|  | <div class="source"> | 
|  | <pre>$ pycapa --help | 
|  | usage: pycapa [-h] [-p] [-c] [-k KAFKA_BROKERS] [-t TOPIC] [-n PACKET_COUNT] | 
|  | [-d DEBUG] [-i INTERFACE] | 
|  |  | 
|  | optional arguments: | 
|  | -h, --help            show this help message and exit | 
|  | -p, --producer        sniff packets and send to kafka | 
|  | -c, --consumer        read packets from kafka | 
|  | -k KAFKA_BROKERS, --kafka KAFKA_BROKERS | 
|  | kafka broker(s) | 
|  | -t TOPIC, --topic TOPIC | 
|  | kafka topic | 
|  | -n PACKET_COUNT, --number PACKET_COUNT | 
|  | number of packets to consume | 
|  | -d DEBUG, --debug DEBUG | 
|  | debug every X packets | 
|  | -i INTERFACE, --interface INTERFACE | 
|  | interface to listen on | 
|  | </pre></div></div> | 
|  | <p>Pycapa has two primary runtime modes.</p> | 
|  | <div class="section"> | 
|  | <h3><a name="Producer_Mode"></a>Producer Mode</h3> | 
|  | <p>Pycapa can be configured to capture packets from a network interface and then forward those packets to a Kafka topic. The following example will capture packets from the <tt>eth0</tt> network interface and forward those to a Kafka topic called <tt>pcap</tt> running on <tt>localhost</tt>.</p> | 
|  |  | 
|  | <div class="source"> | 
|  | <div class="source"> | 
|  | <pre>pycapa --producer --kafka localhost:9092 --topic pcap -i eth0 | 
|  | </pre></div></div> | 
|  | <p>To output debug messages every 100 captured packets, run the following.</p> | 
|  |  | 
|  | <div class="source"> | 
|  | <div class="source"> | 
|  | <pre>pycapa --producer --kafka localhost:9092 --topic pcap -i eth0 --debug 100 | 
|  | </pre></div></div></div> | 
|  | <div class="section"> | 
|  | <h3><a name="Consumer_Mode"></a>Consumer Mode</h3> | 
|  | <p>Pycapa can be configured to consume packets from a Kafka topic and then write those packets to a <a class="externalLink" href="https://wiki.wireshark.org/Development/LibpcapFileFormat">libpcap-compliant file</a>. To read 100 packets from a kafka topic and then write those to a <a class="externalLink" href="https://wiki.wireshark.org/Development/LibpcapFileFormat">libpcap-compliant file</a>, run the following command. The file <tt>out.pcap</tt> can then be opened with a tool such as Wireshark for further validation.</p> | 
|  |  | 
|  | <div class="source"> | 
|  | <div class="source"> | 
|  | <pre>pycapa --consumer --kafka localhost:9092 --topic pcap --n 100 > out.pcap | 
|  | </pre></div></div> | 
|  | <p>To consume packets from Kafka continuously and print debug messages every 10 packets, run the following command. </p> | 
|  |  | 
|  | <div class="source"> | 
|  | <div class="source"> | 
|  | <pre>pycapa --consumer --kafka localhost:9092 --topic pcap --debug 10 | 
|  | </pre></div></div></div></div> | 
|  | <div class="section"> | 
|  | <h2><a name="Dependencies"></a>Dependencies</h2> | 
|  |  | 
|  | <ul> | 
|  |  | 
|  | <li><a class="externalLink" href="https://github.com/dpkp/kafka-python">kafka-python</a></li> | 
|  |  | 
|  | <li><a class="externalLink" href="https://github.com/CoreSecurity/pcapy">pcapy</a></li> | 
|  | </ul></div> | 
|  | <div class="section"> | 
|  | <h2><a name="Implementation"></a>Implementation</h2> | 
|  | <p>When run in Producer Mode, Pycapa embeds the raw network packet data in the Kafka message. The message key contains the timestamp indicating when the packet was captured in microseconds from the epoch. This value is in network byte order.</p></div> | 
|  | </div> | 
|  | </div> | 
|  | </div> | 
|  |  | 
|  | <hr/> | 
|  |  | 
|  | <footer> | 
|  | <div class="container-fluid"> | 
|  | <div class="row span12">Copyright ©                   2017. | 
|  | All Rights Reserved. | 
|  |  | 
|  | </div> | 
|  |  | 
|  |  | 
|  |  | 
|  | </div> | 
|  | </footer> | 
|  | </body> | 
|  | </html> |