Skip to content
Tenzir

Network Interface

Tenzir supports reading packets from a network interface card (NIC).

The load_nic produces a stream of bytes in PCAP file format:

Memory Chunkheaderpacketpacket..packetstruct packet_header { uint32_t timestamp; uint32_t timestamp_fraction; uint32_t captured_packet_length; uint32_t original_packet_length;} __attribute__((packed));struct file_header { uint32_t magic_number; uint16_t major_version; uint16_t minor_version; uint32_t reserved1; uint32_t reserved2; uint32_t snaplen; uint32_t linktype;} __attribute__((packed));Memory Chunk...subsequent PCAP file headers areonly present when emit-file-headers=true

We designed load_nic such that it produces a byte stream in the form of a PCAP file. That is, when the pipeline starts, it first produces a file header, followed by chunks of packets. This creates a byte stream that is wire-compatible with the PCAP format, allowing you to exchange load_nic with load_file and It Just Works™.

Examples

List active network interfaces

If you don’t know what interface to read from, use the nics operator to identify suitable candidates:

nics
select name, addresses, up
where up
{
  name: "eth0",
  addresses: [
    "169.254.172.2",
    "fe80::6471:53ff:fe5f:a8cc",
  ],
  up: true,
}
{
  name: "eth1",
  addresses: [
    "10.0.101.13",
    "fe80::f7:75ff:fe66:94e5",
  ],
  up: true,
}
{
  name: "lo",
  addresses: [
    "127.0.0.1",
    "::1",
  ],
  up: true,
}

Read packets from a network interface

Load packets from eth0 and parse them as PCAP:

load_nic "eth0"
read_pcap
head 3
{
  linktype: 1,
  timestamp: "2021-11-17T13:32:43.237882",
  captured_packet_length: 74,
  original_packet_length: 74,
  data: "ABY88f1tZJ7zvttmCABFAAA8inQAADQGN+yADoaqxkf3W+B8AFDc3z7hAAAAAKACchATrQAAAgQFtAQCCApMw7SVAAAAAAEDAwc=",
}
{
  linktype: 1,
  timestamp: "2021-11-17T13:32:43.237939",
  captured_packet_length: 74,
  original_packet_length: 74,
  data: "ZJ7zvttmABY88f1tCABFAAA8AABAAEAGdmDGR/dbgA6GqgBQ4HzXXzhD3N8+4qAS/ohsJAAAAgQFtAQCCAqjGGhDTMO0lQEDAwc=",
}
{
  linktype: 1,
  timestamp: "2021-11-17T13:32:43.249425",
  captured_packet_length: 66,
  original_packet_length: 66,
  data: "ABY88f1tZJ7zvttmCABFAAA0inUAADQGN/OADoaqxkf3W+B8AFDc3z7i1184RIAQAOWYkQAAAQEICkzDtJijGGhD",
}

Decapsulate packets

After you have structured data in the form of PCAP events, you can use the decapsulate function to decode the binary data:

load_nic "eth0"
read_pcap
select packet = decapsulate(this)
head 1
{
  packet: {
    ether: {
      src: "64-9E-F3-BE-DB-66",
      dst: "00-16-3C-F1-FD-6D",
      type: 2048,
    },
    ip: {
      src: "128.14.134.170",
      dst: "198.71.247.91",
      type: 6,
    },
    tcp: {
      src_port: 57468,
      dst_port: 80,
    },
    community_id: "1:YXWfTYEyYLKVv5Ge4WqijUnKTrM=",
  }

Decapsulation automatically computes a Community ID for correlation in the community_id field. You could also use the community_id function to compute this value manually for different events.