[
https://issues.apache.org/jira/browse/METRON-870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15984877#comment-15984877
]
ASF GitHub Bot commented on METRON-870:
---------------------------------------
Github user justinleet commented on a diff in the pull request:
https://github.com/apache/incubator-metron/pull/541#discussion_r113459957
--- Diff: metron-platform/metron-pcap-backend/README.md ---
@@ -127,3 +130,23 @@ usage: Query filter options
-q,--query <arg> Query string to use as a filter
-st,--start_time <arg> (required) Packet start time range.
```
+
+The Query filter's `--query` argument specifies the Stellar expression to
+execute on each packet. To interact with the packet, a few variables are
exposed:
+* `packet` : The packet data (a `byte[]`)
+* `ip_src_addr` : The source address for the packet (a `String`)
+* `ip_src_port` : The source port for the packet (an `Integer`)
+* `ip_dst_addr` : The destination address for the packet (a `String`)
+* `ip_dst_port` : The destination port for the packet (an `Integer`)
+
+#### Binary Regex
+
+Filtering can be done both by the packet header as well as via a binary
regular expression
+which can be run on the packet payload itself. This filter can be
specified via:
+* The `-pf` or `--packet_filter` options for the fixed query filter
+* The `BYTEARRAY_MATCH(pattern, data)` Stellar function.
--- End diff --
Looks like this is supposed to be BYTEARRAY_MATCHER
> Add filtering by packet payload to the pcap query
> -------------------------------------------------
>
> Key: METRON-870
> URL: https://issues.apache.org/jira/browse/METRON-870
> Project: Metron
> Issue Type: Improvement
> Reporter: Casey Stella
>
> Currently we have the ability to filter packets in the pcap query tool by
> header information (src/dest ip/port). We should be able to filter by binary
> regex on the packets themselves.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
