[
https://issues.apache.org/jira/browse/METRON-1641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16524637#comment-16524637
]
ASF GitHub Bot commented on METRON-1641:
----------------------------------------
Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/1081
**Testing**
Get PCAP data into Metron:
1. Install and setup pycapa - look for "Install pycapa" here
https://cwiki.apache.org/confluence/display/METRON/Metron+0.4.1+with+HDP+2.5+bare-metal+install+on+Centos+7+with+MariaDB+for+Metron+REST
2. (if using singlenode vagrant) Kill the enrichment and sensor topologies
via for i in bro enrichment yaf snort;do storm kill $i;done
3. Start the pcap topology via $METRON_HOME/bin/start_pcap_topology.sh
4. Start the pycapa packet capture producer on eth1 via /usr/bin/pycapa
--producer --topic pcap -i eth1 -k node1:6667
5. Watch the topology in the Storm UI and kill the packet capture utility
from before, when the number of packets ingested is over 3k.
6. Ensure that at at least 3 files exist on HDFS by running hadoop fs -ls
/apps/metron/pcap
7. Choose a file (denoted by $FILE) and dump a few of the contents using
the pcap_inspector utility via $METRON_HOME//bin/pcap_inspector.sh -i $FILE -n 5
8. Choose one of the lines and note the protocol.
9. Note that when you run the commands below, the resulting file will be
placed in the execution directory where you kicked off the job from.
### Fixed filter
1. Run a fixed filter query by executing the following command with the
values noted above (match your start_time format to the date format provided -
default is to use millis since epoch)
2. `$METRON_HOME/bin/pcap_query.sh fixed -st <start_time> -df "yyyyMMdd" -p
<protocol_num> -rpf 500`
3. Verify the MR job finishes successfully. Upon completion, you should see
multiple files named with relatively current datestamps in your current
directory, e.g. pcap-data-20160617160549737+0000.pcap
4. Copy the files to your local machine and verify you can them it in
Wireshark. I chose a middle file and the last file. The middle file should have
500 records (per the records_per_file option), and the last one will likely
have a number of records <= 500.
### Query filter
1. Run a Stellar query filter query by executing a command similar to the
following, with the values noted above (match your start_time format to the
date format provided - default is to use millis since epoch)
2. `$METRON_HOME/bin/pcap_query.sh query -st "20160617" -df "yyyyMMdd"
-query "protocol == '6'" -rpf 500`
3. Verify the MR job finishes successfully. Upon completion, you should see
multiple files named with relatively current datestamps in your current
directory, e.g. pcap-data-20160617160549737+0000.pcap
4. Copy the files to your local machine and verify you can them it in
Wireshark. I chose a middle file and the last file. The middle file should have
500 records (per the records_per_file option), and the last one will likely
have a number of records <= 500.
> Enable Pcap jobs to be submitted asynchronously
> -----------------------------------------------
>
> Key: METRON-1641
> URL: https://issues.apache.org/jira/browse/METRON-1641
> Project: Metron
> Issue Type: New Feature
> Reporter: Michael Miklavcic
> Assignee: Michael Miklavcic
> Priority: Major
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
