Skip to content

Network Interface

Tenzir supports capturing packets from a network interface card (NIC).

Use from_nic to capture live packets as events:

Memory Chunkheaderpacketpacket..packetstruct packet_header { uint32_t timestamp; uint32_t timestamp_fraction; uint32_t captured_packet_length; uint32_t original_packet_length;} __attribute__((packed));struct file_header { uint32_t magic_number; uint16_t major_version; uint16_t minor_version; uint32_t reserved1; uint32_t reserved2; uint32_t snaplen; uint32_t linktype;} __attribute__((packed));Memory Chunk...subsequent PCAP file headers areonly present when emit-file-headers=true

from_nic uses read_pcap by default.

Examples

Section titled “Examples”

List active network interfaces

Section titled “List active network interfaces”

If you don’t know what interface to read from, use the nics operator to identify suitable candidates:

nics
select name, addresses, up
where up
{
  name: "eth0",
  addresses: [
    "169.254.172.2",
    "fe80::6471:53ff:fe5f:a8cc",
  ],
  up: true,
}
{
  name: "eth1",
  addresses: [
    "10.0.101.13",
    "fe80::f7:75ff:fe66:94e5",
  ],
  up: true,
}
{
  name: "lo",
  addresses: [
    "127.0.0.1",
    "::1",
  ],
  up: true,
}

Read packets from a network interface

Section titled “Read packets from a network interface”

Capture packets from eth0:

from_nic "eth0"
head 3
{
  linktype: 1,
  timestamp: "2021-11-17T13:32:43.237882",
  captured_packet_length: 74,
  original_packet_length: 74,
  data: "ABY88f1tZJ7zvttmCABFAAA8inQAADQGN+yADoaqxkf3W+B8AFDc3z7hAAAAAKACchATrQAAAgQFtAQCCApMw7SVAAAAAAEDAwc=",
}
{
  linktype: 1,
  timestamp: "2021-11-17T13:32:43.237939",
  captured_packet_length: 74,
  original_packet_length: 74,
  data: "ZJ7zvttmABY88f1tCABFAAA8AABAAEAGdmDGR/dbgA6GqgBQ4HzXXzhD3N8+4qAS/ohsJAAAAgQFtAQCCAqjGGhDTMO0lQEDAwc=",
}
{
  linktype: 1,
  timestamp: "2021-11-17T13:32:43.249425",
  captured_packet_length: 66,
  original_packet_length: 66,
  data: "ABY88f1tZJ7zvttmCABFAAA0inUAADQGN/OADoaqxkf3W+B8AFDc3z7i1184RIAQAOWYkQAAAQEICkzDtJijGGhD",
}

Decapsulate packets

Section titled “Decapsulate packets”

After you have structured data in the form of PCAP events, you can use the fndecapsulate function to decode the binary data:

from_nic "eth0"
select packet = decapsulate(this)
head 1
{
  packet: {
    ether: {
      src: "64-9E-F3-BE-DB-66",
      dst: "00-16-3C-F1-FD-6D",
      type: 2048,
    },
    ip: {
      src: "128.14.134.170",
      dst: "198.71.247.91",
      type: 6,
    },
    tcp: {
      src_port: 57468,
      dst_port: 80,
    },
    community_id: "1:YXWfTYEyYLKVv5Ge4WqijUnKTrM=",
  }

Decapsulation automatically computes a Community ID for correlation in the community_id field. You could also use the fncommunity_id function to compute this value manually for different events.

Last updated: