Google Git
Sign in
apache / metron / apache-metron-0.4.0-release / . / site / current-book / metron-platform / metron-api / index.html
blob: fe2b9a6143eb24c98631f0ed3d322cf633597fb2 [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2017-02-23
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20170223" />
<meta http-equiv="Content-Language" content="en" />
<title>Metron &#x2013; Metron PCAP Service</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
<link rel="stylesheet" href="../../css/site.css" />
<link rel="stylesheet" href="../../css/print.css" media="print" />
<script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<a href="http://metron.incubator.apache.org/" id="bannerLeft">
<img src="../../images/metron-logo.png" alt="Apache Metron - Incubating" width="148px" height="48px"/>
</a>
</div>
<div class="pull-right"> <a href="http://incubator.apache.org/" id="bannerRight">
<img src="../../images/ApacheIncubating_Logo.png" alt="Apache Incubating" width="192px" height="48px"/>
</a>
</div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class="">
<a href="http://www.apache.org" class="externalLink" title="Apache">
Apache</a>
</li>
<li class="divider ">/</li>
<li class="">
<a href="http://metron.incubator.apache.org/" class="externalLink" title="Metron-Incubating">
Metron-Incubating</a>
</li>
<li class="divider ">/</li>
<li class="">
<a href="../../index.html" title="Documentation">
Documentation</a>
</li>
<li class="divider ">/</li>
<li class="">Metron PCAP Service</li>
<li id="publishDate" class="pull-right">Last Published: 2017-02-23</li> <li class="divider pull-right">|</li>
<li id="projectVersion" class="pull-right">Version: 0.3.1</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span3">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">User Documentation</li>
<li>
<a href="../../index.html" title="Metron">
<i class="icon-chevron-down"></i>
Metron</a>
<ul class="nav nav-list">
<li>
<a href="../../Upgrading.html" title="Upgrading">
<i class="none"></i>
Upgrading</a>
</li>
<li>
<a href="../../metron-analytics/index.html" title="Analytics">
<i class="icon-chevron-right"></i>
Analytics</a>
</li>
<li>
<a href="../../metron-deployment/index.html" title="Deployment">
<i class="icon-chevron-right"></i>
Deployment</a>
</li>
<li>
<a href="../../metron-docker/index.html" title="Docker">
<i class="none"></i>
Docker</a>
</li>
<li>
<a href="../../metron-platform/index.html" title="Platform">
<i class="icon-chevron-down"></i>
Platform</a>
<ul class="nav nav-list">
<li class="active">
<a href="#"><i class="none"></i>Api</a>
</li>
<li>
<a href="../../metron-platform/metron-common/index.html" title="Common">
<i class="none"></i>
Common</a>
</li>
<li>
<a href="../../metron-platform/metron-data-management/index.html" title="Data-management">
<i class="none"></i>
Data-management</a>
</li>
<li>
<a href="../../metron-platform/metron-enrichment/index.html" title="Enrichment">
<i class="none"></i>
Enrichment</a>
</li>
<li>
<a href="../../metron-platform/metron-indexing/index.html" title="Indexing">
<i class="none"></i>
Indexing</a>
</li>
<li>
<a href="../../metron-platform/metron-management/index.html" title="Management">
<i class="none"></i>
Management</a>
</li>
<li>
<a href="../../metron-platform/metron-parsers/index.html" title="Parsers">
<i class="none"></i>
Parsers</a>
</li>
<li>
<a href="../../metron-platform/metron-pcap-backend/index.html" title="Pcap-backend">
<i class="none"></i>
Pcap-backend</a>
</li>
</ul>
</li>
<li>
<a href="../../metron-sensors/index.html" title="Sensors">
<i class="icon-chevron-right"></i>
Sensors</a>
</li>
</ul>
</li>
</ul>
<hr class="divider" />
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span9" >
<h1>Metron PCAP Service</h1>
<p><a name="Metron_PCAP_Service"></a></p>
<p>The purpose of the Metron PCAP service is to provide a middle tier to negotiate retrieving packet capture data which flows into Metron. This packet data is of a form which <tt>libpcap</tt> based tools can read.</p>
<div class="section">
<h2><a name="Starting_the_Service"></a>Starting the Service</h2>
<p>You can start the service either via the init.d script installed, <tt>/etc/init.d/pcapservice</tt> or directly via the <tt>yarn jar</tt> command: <tt>yarn jar $METRON_HOME/lib/metron-api-$METRON_VERSION.jar org.apache.metron.pcapservice.rest.PcapService -port $SERVICE_PORT -query_hdfs_path $QUERY_PATH -pcap_hdfs_path $PCAP_PATH</tt></p>
<p>where</p>
<ul>
<li><tt>METRON_HOME</tt> is the location of the metron installation</li>
<li><tt>METRON_VERSION</tt> is the version of the metron installation</li>
<li><tt>SERVICE_PORT</tt> is the port to bind the REST service to.</li>
<li><tt>QUERY_PATH</tt> is the temporary location to store query results. They are deleted after the service reads them.</li>
<li><tt>PCAP_PATH</tt> is the path to the packet data on HDFS</li>
</ul></div>
<div class="section">
<h2><a name="The_pcapGettergetPcapsByIdentifiers_endpoint"></a>The <tt>/pcapGetter/getPcapsByIdentifiers</tt> endpoint</h2>
<p>This endpoint takes the following query parameters and returns the subset of packets matching this query:</p>
<ul>
<li><tt>srcIp</tt> : The source IP to match on</li>
<li><tt>srcPort</tt> : The source port to match on</li>
<li><tt>dstIp</tt> : The destination IP to match on</li>
<li><tt>dstPort</tt> : The destination port to match on</li>
<li><tt>startTime</tt> : The start time in milliseconds</li>
<li><tt>endTime</tt> : The end time in milliseconds</li>
<li><tt>numReducers</tt> : Specify the number of reducers to use when executing the mapreduce job</li>
<li><tt>includeReverseTraffic</tt> : Indicates if filter should check swapped src/dest addresses and IPs</li>
</ul></div>
<div class="section">
<h2><a name="The_pcapGettergetPcapsByQuery_endpoint"></a>The <tt>/pcapGetter/getPcapsByQuery</tt> endpoint</h2>
<p>This endpoint takes the following query parameters and returns the subset of packets matching this query. This endpoint exposes Stellar querying capabilities:</p>
<ul>
<li><tt>query</tt> : The Stellar query to execute</li>
<li><tt>startTime</tt> : The start time in milliseconds</li>
<li><tt>endTime</tt> : The end time in milliseconds</li>
<li><tt>numReducers</tt> : Specify the number of reducers to use when executing the mapreduce job</li>
</ul>
<p>Example: <tt>curl -XGET &quot;http://node1:8081/pcapGetter/getPcapsByQuery?query=ip_src_addr+==+'192.168.66.121'+and+ip_src_port+==+'60500'&amp;startTime=1476936000000&quot;</tt></p>
<p>All of these parameters are optional. In the case of a missing parameter, it is treated as a wildcard.</p>
<p>Unlike the CLI tool, there is no paging mechanism. The REST API will stream back data as a single file.</p></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row span12">Copyright &copy; 2017.
All Rights Reserved.
</div>
</div>
</footer>
</body>
</html>