查询筛选工具
此工具公开了两种通过命令行工具过滤PCAP数据的方法:
- 固定过滤器
- 恒星查询语言
该工具通过执行 ${metron_home}/bin/pcap_query.sh [fixed|query]
用法
usage: Fixed filter options
-bop,--base_output_path <arg> Query result output path. Default is
'/tmp'
-bp,--base_path <arg> Base PCAP data path. Default is
'/apps/metron/pcap'
-da,--ip_dst_addr <arg> Destination IP address
-df,--date_format <arg> Date format to use for parsing start_time
and end_time. Default is to use time in
millis since the epoch.
-dp,--ip_dst_port <arg> Destination port
-et,--end_time <arg> Packet end time range. Default is current
system time.
-h,--help Display help
-ir,--include_reverse Indicates if filter should check swapped
src/dest addresses and IPs
-p,--protocol <arg> IP Protocol
-sa,--ip_src_addr <arg> Source IP address
-sp,--ip_src_port <arg> Source port
-st,--start_time <arg> (required) Packet start time range.
usage: Query filter options
-bop,--base_output_path <arg> Query result output path. Default is
'/tmp'
-bp,--base_path <arg> Base PCAP data path. Default is
'/apps/metron/pcap'
-df,--date_format <arg> Date format to use for parsing start_time
and end_time. Default is to use time in
millis since the epoch.
-et,--end_time <arg> Packet end time range. Default is current
system time.
-h,--help Display help
-q,--query <arg> Query string to use as a filter
-st,--start_time <arg> (required) Packet start time range.
1698
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
