A prerequisite to having the PCAP service is having the PCAP Topology up and running. Code for the PCAP service can be found here.
The service consists of a Kibana PCAP Panel that is backed by a restful API. A Sample screenshot of the Kibana/Banana PCAP panel is provided below.
The PCAP Kibana/Banana Panel takes the following variables:
Variable | Description | Format | Required |
---|---|---|---|
ip_src_addr | Source ip | xxx.xxx.xxx.xxx | YES |
ip_dst_addr | Dest ip | xxx.xxx.xxx.xxx | YES |
ip_src_port | Source port | int | NO |
ip_dst_port | Dest port | int | NO |
protocol | Protocol (as string) | String | NO |
timeframe | Time - x minutes | epoch | YES |
Once the query is entered in the PCAP panel the panel forwards to a REST PCAP service. The REST PCAP service fires up an MR job, which goes through the PCAP files stored on HDFS by the PCAP Topology, filters them based on the Kibana/Banana Panel Query, compiles a new PCAP from the PCAP query, and delivers it back up to the Kibana/Banana panel via the REST PCAP Service.