The purpose of the Metron PCAP service is to provide a middle tier to negotiate retrieving packet capture data which flows into Metron. This packet data is of a form which libpcap
based tools can read.
You can start the service either via the init.d script installed, /etc/init.d/pcapservice
or directly via the yarn jar
command: yarn jar $METRON_HOME/lib/metron-api-$METRON_VERSION.jar org.apache.metron.pcapservice.rest.PcapService -port $SERVICE_PORT -query_hdfs_path $QUERY_PATH -pcap_hdfs_path $PCAP_PATH
where
METRON_HOME
is the location of the metron installationMETRON_VERSION
is the version of the metron installationSERVICE_PORT
is the port to bind the REST service to.QUERY_PATH
is the temporary location to store query results. They are deleted after the service reads them.PCAP_PATH
is the path to the packet data on HDFS/pcapGetter/getPcapsByIdentifiers
endpointThis endpoint takes the following query parameters and returns the subset of packets matching this query:
srcIp
: The source IP to match onsrcPort
: The source port to match ondstIp
: The destination IP to match ondstPort
: The destination port to match onstartTime
: The start time in millisecondsendTime
: The end time in millisecondsnumReducers
: Specify the number of reducers to use when executing the mapreduce jobincludeReverseTraffic
: Indicates if filter should check swapped src/dest addresses and IPs/pcapGetter/getPcapsByQuery
endpointThis endpoint takes the following query parameters and returns the subset of packets matching this query. This endpoint exposes Stellar querying capabilities:
query
: The Stellar query to executestartTime
: The start time in millisecondsendTime
: The end time in millisecondsnumReducers
: Specify the number of reducers to use when executing the mapreduce jobExample: curl -XGET "http://node1:8081/pcapGetter/getPcapsByQuery?query=ip_src_addr+==+'192.168.66.121'+and+ip_src_port+==+'60500'&startTime=1476936000000"
All of these parameters are optional. In the case of a missing parameter, it is treated as a wildcard.
Unlike the CLI tool, there is no paging mechanism. The REST API will stream back data as a single file.