write_pcap
Transforms event stream to PCAP byte stream.
write_pcapDescription
Transforms event stream to PCAP byte stream.
The structured representation of packets has the pcap.packet schema:
pcap.packet:
record:
- linktype: uint64
- time:
timestamp: time
- captured_packet_length: uint64
- original_packet_length: uint64
- data: string
PCAPNG
Examples
Write packets as PCAP to a file
subscribe "packets"
write_pcap
save_file "/logs/packets.pcap"