read_pcap
Reads raw network packets in PCAP file format.
read_pcap [emit_file_headers=bool]Description
Section titled “Description”The read_pcap operator converts raw bytes representing a PCAP file into
events.
emit_file_headers = bool (optional)
Section titled “emit_file_headers = bool (optional)”Emit a pcap.file_header event that represents the PCAP file header. If
present, the parser injects this additional event before the subsequent stream
of packets.
Emitting this extra event makes it possible to seed the
write_pcap operator with a file header from the input. This
allows for controlling the timestamp formatting (microseconds vs. nanosecond
granularity) and byte order in the packet headers.
When the PCAP parser processes a concatenated stream of PCAP files, specifying
emit_file_headers will also re-emit every intermediate file header as
separate event.
Use this option when you would like to reproduce the identical trace file layout of the PCAP input.
Schemas
Section titled “Schemas”The operator emits events with the following schema.
pcap.packet
Section titled “pcap.packet”Contains information about all accessed API endpoints, emitted once per second.
| Field | Type | Description |
|---|---|---|
timestamp | time | The time of capturing the packet. |
linktype | uint64 | The linktype of the captured packet. |
original_packet_length | uint64 | The length of the original packet. |
captured_packet_length | uint64 | The length of the captured packet. |
data | blob | The captured packet’s data as a blob. |
Examples
Section titled “Examples”Read packets from a PCAP file
Section titled “Read packets from a PCAP file”load_file "/tmp/trace.pcap"read_pcapRead packets from the network interface eth0
Section titled “Read packets from the network interface eth0”load_nic "eth0"read_pcap