pom-ng:output:pcap_flow
This is an old revision of the document!
Table of Contents
Output pcap_flow
The output pcap_flow will save connections into separate files.
Parameters
| Name | Type | Default value | Description |
|---|---|---|---|
| flow_proto | string | tcp | Connections of this protocol will be in separate files. |
| link_type | string | ethernet | What type of frame to save in the pcap file. Possible values are : ethernet, ipv4, docsis, 80211, radiotap, mpeg_ts, ppi. |
| prefix | string | /tmp/${ipv4.src}.${tcp.sport}-${ipv4.dst}.${tcp.dport}- | Prefix of the files created. This will need to be changed if the flow_proto is not tcp. |
| snaplen | uint16 | 1550 | Maximum stored size of packets. |
| unbuffered | bool | no | When set to yes, the packets will directly be written on the disk. This can be useful in some cases but will slow performances. |
Events
| Name | Payload associated | Description |
|---|---|---|
| pcap_flow_file | no | Event containing informations about files created by the output. |
pcap_flow_file
This event starts when a new file is created and ends when the file is closed.
| Field | Type | Description |
|---|---|---|
| output | string | Name of the output which generated the event. |
| filename | string | Filename being created. |
| bytes | uint64 | Number of packet bytes written to the file. |
| packets | uint64 | Number of packets written to the file. |
| info | list | List all the info of the first packet. The key is 'proto.field' and the value is the field value. |
pom-ng/output/pcap_flow.1401115499.txt.gz · Last modified: (external edit)