Query Filter Utility

This tool exposes the two methods for filtering PCAP data via a command line tool:

The tool is executed via ${metron_home}/bin/pcap_query.sh [fixed|query]

Usage

usage: Fixed filter options
 -bop,--base_output_path <arg>   Query result output path. Default is
                                 '/tmp'
 -bp,--base_path <arg>           Base PCAP data path. Default is
                                 '/apps/metron/pcap'
 -da,--ip_dst_addr <arg>         Destination IP address
 -df,--date_format <arg>         Date format to use for parsing start_time
                                 and end_time. Default is to use time in
                                 millis since the epoch.
 -dp,--ip_dst_port <arg>         Destination port
 -et,--end_time <arg>            Packet end time range. Default is current
                                 system time.
 -h,--help                       Display help
 -ir,--include_reverse           Indicates if filter should check swapped
                                 src/dest addresses and IPs
 -p,--protocol <arg>             IP Protocol
 -sa,--ip_src_addr <arg>         Source IP address
 -sp,--ip_src_port <arg>         Source port
 -st,--start_time <arg>          (required) Packet start time range.


usage: Query filter options
 -bop,--base_output_path <arg>   Query result output path. Default is
                                 '/tmp'
 -bp,--base_path <arg>           Base PCAP data path. Default is
                                 '/apps/metron/pcap'
 -df,--date_format <arg>         Date format to use for parsing start_time
                                 and end_time. Default is to use time in
                                 millis since the epoch.
 -et,--end_time <arg>            Packet end time range. Default is current
                                 system time.
 -h,--help                       Display help
 -q,--query <arg>                Query string to use as a filter
 -st,--start_time <arg>          (required) Packet start time range.

PCAP Fields

The following is a list of fields that can be filtered/queried for in the PCAP data.

  • ip_src_addr
  • ip_dst_addr
  • ip_src_port
  • ip_dst_port
  • protocol

Examples

Fixed filter

/usr/metron/0.1BETA/bin/pcap_query.sh fixed \
                                      -st "20160617" \
                                      -df "yyyyMMdd" \
                                      -sa 192.168.138.158 \
                                      -da 123.456.789.012 \
                                      -sp 49197 \
                                      -dp 80 \
                                      -p 6

Stellar filter

/usr/metron/0.1BETA/bin/pcap_query.sh query \
                                      -st "20160617" \
                                      -df "yyyyMMdd" \
                                      --query "ip_src_addr == '192.168.138.158' and ip_src_port == '49197' \
                                               and ip_dst_addr == '123.456.789.012' and ip_dst_port == '80' \
                                               and protocol == '6'"

 

/usr/metron/0.1BETA/bin/pcap_query.sh query \
                                      -st "1466136000000" \
                                      --query "IN_SUBNET(ip_src_addr, '192.168.0.0/24') and ip_src_port == '49197' \
                                               and ip_dst_addr == '123.456.789.012' and ip_dst_port == '80' \
                                               and protocol == '6'"