How to load PCAP format data

Kaito · June 2018

My prospect wants to load PCAP data. Could you share the tips to load the data into Vertica?

https://en.wikipedia.org/wiki/Pcap

Jim_Knicely · June 2018

Hi,

pcap files have their own proprietary format:

[dbadmin@s18384357 pcap]$ file ipv4frags.pcap
ipv4frags.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 2000)

I would just convert the pcap files to csv using tshark and load those into Vertica

Example:

[dbadmin@s18384357 pcap]$ vsql -c "create flex table pcap();"
CREATE TABLE

[dbadmin@s18384357 pcap]$ tshark -r ipv4frags.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ip.dst -e frame.len -E header=y -E separator=, | vsql -c "copy pcap from stdin parser fcsvparser();"

[dbadmin@s18384357 pcap]$ vsql -c "select compute_flextable_keys_and_build_view('pcap');

[dbadmin@s18384357 pcap]$ vsql -c "select compute_flextable_keys_and_build_view('pcap');"
                            compute_flextable_keys_and_build_view
----------------------------------------------------------------------------------------------
 Please see public.pcap_keys for updated keys
The view public.pcap_view is ready for querying
(1 row)

[dbadmin@s18384357 pcap]$ vsql -c "select * from pcap_view;"
      eth.dst      |      eth.src      | frame.len | frame.number | ip.dst  | ip.src
-------------------+-------------------+-----------+--------------+---------+---------
 08:00:27:e2:9f:a6 | 08:00:27:fc:6a:c9 |      1010 |            1 | 2.1.1.1 | 2.1.1.2
 08:00:27:e2:9f:a6 | 08:00:27:fc:6a:c9 |       466 |            2 | 2.1.1.1 | 2.1.1.2
 08:00:27:fc:6a:c9 | 08:00:27:e2:9f:a6 |      1442 |            3 | 2.1.1.2 | 2.1.1.1
(3 rows)

Kaito · June 2018

Thank you, Jim!

We're Moving!

Create My New Community Account Now

How to load PCAP format data

Comments

Leave a Comment