write_pcap

Transforms event stream to PCAP byte stream.

write_pcap

Description

Transforms event stream to PCAP byte stream.

The structured representation of packets has the pcap.packet schema:

pcap.packet:
  record:
    - linktype: uint64
    - time:
        timestamp: time
    - captured_packet_length: uint64
    - original_packet_length: uint64
    - data: string

PCAPNG

The current implementation does not support PCAPNG.

Examples

Write packet events as a PCAP file

subscribe "packets"
write_pcap
save_file "/logs/packets.pcap"

See Also

read_pcap