pcap
Reads and writes raw network packets in PCAP file format.
Synopsis
Parser:
pcap [-e|--emit-file-headers]
Printer:
pcap
Description
The pcap parser converts raw bytes representing a PCAP file into
events, and the pcap printer generates a PCAP file from events.
The structured representation of packets has the pcap.packet schema:
pcap.packet:
record:
- linktype: uint64
- time:
timestamp: time
- captured_packet_length: uint64
- original_packet_length: uint64
- data: string-e|--emit-file-headers (Parser)
Emit a pcap.file_header event that represents the PCAP file header. If
present, the parser injects this additional event before the subsequent stream
of packets.
Emitting this extra event makes it possible to seed the pcap printer with a
file header from the input. This allows for controlling the timestamp formatting
(microseconds vs. nanosecond granularity) and byte order in the packet headers.
When the PCAP parser processes a concatenated stream of PCAP files, specifying
--emit-file-headers will also re-emit every intermediate file header as
separate event.
Use this option when you would like to reproduce the identical trace file layout of the PCAP input.
Examples
Read packets from a PCAP file:
from file /tmp/trace.pcap read pcap
Read packets from the network interface eth0:
from nic eth0 read pcap
Decapsulate packets in a PCAP file:
read pcap | decapsulate
On the command line, merge PCAP files and process parse them:
cat *.pcap | tenzir 'read pcap'