metron-platform/metron-api/README.md - metron - Git at Google

 # Metron PCAP Service

 The purpose of the Metron PCAP service is to provide a middle tier to
 negotiate retrieving packet capture data which flows into Metron.  This
 packet data is of a form which `libpcap` based tools can read.

 ## Starting the Service

 You can start the service either via the init.d script installed,
 `/etc/init.d/pcapservice` or directly via the `yarn jar` command:
 `yarn jar $METRON_HOME/lib/metron-api-$METRON_VERSION.jar org.apache.metron.pcapservice.rest.PcapService -port $SERVICE_PORT -query_hdfs_path $QUERY_PATH -pcap_hdfs_path $PCAP_PATH`

 where
 * `METRON_HOME` is the location of the metron installation
 * `METRON_VERSION` is the version of the metron installation
 * `SERVICE_PORT` is the port to bind the REST service to.
 * `QUERY_PATH` is the temporary location to store query results.  They are deleted after the service reads them.
 * `PCAP_PATH` is the path to the packet data on HDFS

 ## The `/pcapGetter/getPcapsByIdentifiers` endpoint

 This endpoint takes the following query parameters and returns the subset of
 packets matching this query:
 * `srcIp` : The source IP to match on
 * `srcPort` : The source port to match on
 * `dstIp` : The destination IP to match on
 * `dstPort` : The destination port to match on
 * `startTime` : The start time in milliseconds
 * `endTime` : The end time in milliseconds
 * `numReducers` : Specify the number of reducers to use when executing the mapreduce job
 * `includeReverseTraffic` : Indicates if filter should check swapped src/dest addresses and IPs

 ## The `/pcapGetter/getPcapsByQuery` endpoint

 This endpoint takes the following query parameters and returns the subset of
 packets matching this query. This endpoint exposes Stellar querying capabilities:
 * `query` : The Stellar query to execute
 * `startTime` : The start time in milliseconds
 * `endTime` : The end time in milliseconds
 * `numReducers` : Specify the number of reducers to use when executing the mapreduce job

 Example:
 `curl -XGET "http://node1:8081/pcapGetter/getPcapsByQuery?query=ip_src_addr+==+'192.168.66.121'+and+ip_src_port+==+'60500'&startTime=1476936000000"`

 All of these parameters are optional.  In the case of a missing
 parameter, it is treated as a wildcard.

 Unlike the CLI tool, there is no paging mechanism. The REST API will stream back data as a single file.
	# Metron PCAP Service

	The purpose of the Metron PCAP service is to provide a middle tier to
	negotiate retrieving packet capture data which flows into Metron. This
	packet data is of a form which `libpcap` based tools can read.

	## Starting the Service

	You can start the service either via the init.d script installed,
	`/etc/init.d/pcapservice` or directly via the `yarn jar` command:
	`yarn jar $METRON_HOME/lib/metron-api-$METRON_VERSION.jar org.apache.metron.pcapservice.rest.PcapService -port $SERVICE_PORT -query_hdfs_path $QUERY_PATH -pcap_hdfs_path $PCAP_PATH`

	where
	* `METRON_HOME` is the location of the metron installation
	* `METRON_VERSION` is the version of the metron installation
	* `SERVICE_PORT` is the port to bind the REST service to.
	* `QUERY_PATH` is the temporary location to store query results. They are deleted after the service reads them.
	* `PCAP_PATH` is the path to the packet data on HDFS

	## The `/pcapGetter/getPcapsByIdentifiers` endpoint

	This endpoint takes the following query parameters and returns the subset of
	packets matching this query:
	* `srcIp` : The source IP to match on
	* `srcPort` : The source port to match on
	* `dstIp` : The destination IP to match on
	* `dstPort` : The destination port to match on
	* `startTime` : The start time in milliseconds
	* `endTime` : The end time in milliseconds
	* `numReducers` : Specify the number of reducers to use when executing the mapreduce job
	* `includeReverseTraffic` : Indicates if filter should check swapped src/dest addresses and IPs

	## The `/pcapGetter/getPcapsByQuery` endpoint

	This endpoint takes the following query parameters and returns the subset of
	packets matching this query. This endpoint exposes Stellar querying capabilities:
	* `query` : The Stellar query to execute
	* `startTime` : The start time in milliseconds
	* `endTime` : The end time in milliseconds
	* `numReducers` : Specify the number of reducers to use when executing the mapreduce job

	Example:
	`curl -XGET "http://node1:8081/pcapGetter/getPcapsByQuery?query=ip_src_addr+==+'192.168.66.121'+and+ip_src_port+==+'60500'&startTime=1476936000000"`

	All of these parameters are optional. In the case of a missing
	parameter, it is treated as a wildcard.

	Unlike the CLI tool, there is no paging mechanism. The REST API will stream back data as a single file.