Reading packets from pcap file


(catwallader) #1

Is it possible to read packets from an exiting pcap file. I see that packetbeat has a -I option, which I thought would be an input file, but it doesn't seem to be.


(Tudor Golubenco) #2

That's right, the -I option does that. Here is an example:

./packetbeat -e -c packetbeat.dev.yml -t -I tests/pcaps/http_post.pcap -d "publish"

The -t means reading the packets as fast as possible (as opposed to replaying them at the time intervals from the capture).

We use these options mostly for development and automatic tests, but they should work also for indexing pcap files.


(catwallader) #3

Hi tudor.

I tried your command, but it isn't work for me. I just ended up capturing
packets from the wire for the few milliseconds that packetbeat ran.

Also, I don't see individual packets, which I guess makes sense since
packetbeat is following high level protocol flows, http, etc. However if
packetbeat had a mode to capture individual packets that would be more
useful to me. IS there a way to do that with packetbeat?

Cheers,


(catwallader) #4

Hi again Tudor.

Correction, packetbeat does read in pcap files if there are app protocol
requests and responses. The packet capture I mentioned earlier was just
raw TCP packets, at least in Wireshark the only protocol identified was
TCP. But for another capture I did there was an HTTP request and response
that packetbeat got.


(Tudor Golubenco) #5

Right, Packetbeat only publishes when it sees a request-response pair. You can make it save pcap files, btw, with the -dump option.


(system) #6