Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Pcap data index to ElasticSearch

Labels:
avatar
author-rank nnat25191
Expert Contributor

Created ‎10-03-2017 03:28 PM

I've installed and configured pcap service and replay for our apache metron. The pcap data has been captured and stored in HDFS /apps/metron/pcap. However, I could not find information of how to index these files into ElasticSearch and make it available on Apache Metron dashboard. I found a related thread, but didn't answer my question or I'm just confused? https://community.hortonworks.com/questions/36622/how-to-use-the-metron-ui-to-see-the-pcap-data.html

1. How to get the pcap data collected/stored in HDFS indexed into ElasticSearch?

2. How to get the pcap panel on Metron dashboard like the old version of Metron?

Any feedback is greatly appreciated.

7,868 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank nallen author-rank
Expert Contributor

Created ‎10-04-2017 02:19 PM

> 1. How to get the pcap data collected/stored in HDFS indexed into ElasticSearch?

In Apache Metron there is not a mechanism to ingest raw pcap data into Elasticsearch. I have found a search index like Elasticsearch more useful for higher level meta information like flows.

There is a tool called Pcap Query to search and retrieve slices of the raw pcap stored in HDFS. This queries against the data stored in HDFS and returns a libpcap-compliant file containing the raw pcap data that you can then load into 3rd party tools like Wireshark.

> 2. How to get the pcap panel on Metron dashboard like the old version of Metron?

The Pcap Panel from the original OpenSOC project was not carried forward due to technical limitations.

View solution in original post

6,413 Views
0 Kudos
10 REPLIES 10

avatar
author-rank nnat25191
Expert Contributor

Created ‎11-15-2017 08:35 PM

Thank you @jsirota for the explaination. I think I got the first part comfortably. However, the second part is still fuzzy to me where we narrow down to certain data to export out to PCAP format in order to view them in wireshark.

I was looking up for Metron meetup around NOVA/MD area, but couldn't find any. There are so much with Metron I would like to learn and understand better. I started to tap into our company network interface instead of the tap0 switch we created and I started to run into more issues with services being down.

1,948 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements