Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Pcap data index to ElasticSearch

Labels:
avatar
author-rank nnat25191
Expert Contributor

Created ‎10-03-2017 03:28 PM

I've installed and configured pcap service and replay for our apache metron. The pcap data has been captured and stored in HDFS /apps/metron/pcap. However, I could not find information of how to index these files into ElasticSearch and make it available on Apache Metron dashboard. I found a related thread, but didn't answer my question or I'm just confused? https://community.hortonworks.com/questions/36622/how-to-use-the-metron-ui-to-see-the-pcap-data.html

1. How to get the pcap data collected/stored in HDFS indexed into ElasticSearch?

2. How to get the pcap panel on Metron dashboard like the old version of Metron?

Any feedback is greatly appreciated.

6,619 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank nallen author-rank
Expert Contributor

Created ‎10-04-2017 02:19 PM

> 1. How to get the pcap data collected/stored in HDFS indexed into ElasticSearch?

In Apache Metron there is not a mechanism to ingest raw pcap data into Elasticsearch. I have found a search index like Elasticsearch more useful for higher level meta information like flows.

There is a tool called Pcap Query to search and retrieve slices of the raw pcap stored in HDFS. This queries against the data stored in HDFS and returns a libpcap-compliant file containing the raw pcap data that you can then load into 3rd party tools like Wireshark.

> 2. How to get the pcap panel on Metron dashboard like the old version of Metron?

The Pcap Panel from the original OpenSOC project was not carried forward due to technical limitations.

View solution in original post

5,164 Views
0 Kudos
10 REPLIES 10

avatar
author-rank nnat25191
Expert Contributor

Created ‎11-15-2017 08:35 PM

Thank you @jsirota for the explaination. I think I got the first part comfortably. However, the second part is still fuzzy to me where we narrow down to certain data to export out to PCAP format in order to view them in wireshark.

I was looking up for Metron meetup around NOVA/MD area, but couldn't find any. There are so much with Metron I would like to learn and understand better. I started to tap into our company network interface instead of the tap0 switch we created and I started to run into more issues with services being down.

1,798 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner