How to load PCAP format data
Kaito
Employee
My prospect wants to load PCAP data. Could you share the tips to load the data into Vertica?
0
Kaito
Employee
My prospect wants to load PCAP data. Could you share the tips to load the data into Vertica?
Comments
Hi,
pcap files have their own proprietary format:
I would just convert the pcap files to csv using tshark and load those into Vertica
Example:
[dbadmin@s18384357 pcap]$ vsql -c "create flex table pcap();" CREATE TABLE [dbadmin@s18384357 pcap]$ tshark -r ipv4frags.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len -E header=y -E separator=, | vsql -c "copy pcap from stdin parser fcsvparser();" [dbadmin@s18384357 pcap]$ vsql -c "select compute_flextable_keys_and_build_view('pcap'); [dbadmin@s18384357 pcap]$ vsql -c "select compute_flextable_keys_and_build_view('pcap');" compute_flextable_keys_and_build_view ---------------------------------------------------------------------------------------------- Please see public.pcap_keys for updated keys The view public.pcap_view is ready for querying (1 row) [dbadmin@s18384357 pcap]$ vsql -c "select * from pcap_view;" eth.dst | eth.src | frame.len | frame.number | ip.dst | ip.src -------------------+-------------------+-----------+--------------+---------+--------- 08:00:27:e2:9f:a6 | 08:00:27:fc:6a:c9 | 1010 | 1 | 2.1.1.1 | 2.1.1.2 08:00:27:e2:9f:a6 | 08:00:27:fc:6a:c9 | 466 | 2 | 2.1.1.1 | 2.1.1.2 08:00:27:fc:6a:c9 | 08:00:27:e2:9f:a6 | 1442 | 3 | 2.1.1.2 | 2.1.1.1 (3 rows)Thank you, Jim!