Skip to content

write_pcap

Serializes packet events as a PCAP byte stream.

write_pcap

Description

Section titled “Description”

The write_pcap operator transforms packet events into a PCAP byte stream.

The operator accepts pcap.packet events. When present, it also uses pcap.file_header events emitted by read_pcap to preserve the original timestamp precision and byte order.

If no pcap.file_header event is present, write_pcap generates a file header from the first packet’s linktype and writes timestamps with nanosecond precision.

The structured representation of packets has the pcap.packet schema:

pcap.packet:
  record:
    - linktype: uint64
    - timestamp: time
    - captured_packet_length: uint64
    - original_packet_length: uint64
    - data: blob

Examples

Section titled “Examples”

Write a live capture to a PCAP file

Section titled “Write a live capture to a PCAP file”
from_nic "en1"
write_pcap
save_file "/logs/packets.pcap"

Round-trip a PCAP file while preserving its file header

Section titled “Round-trip a PCAP file while preserving its file header”
from_file "/tmp/trace.pcap" {
  read_pcap emit_file_headers=true
}
write_pcap
save_file "/tmp/trace-copy.pcap"

See Also

Section titled “See Also”

Last updated: