Captures raw PCAP bytes from a network interface.
load_nic iface:str, [snaplen=int, emit_file_headers=bool]Description
Section titled “Description”The load_nic operator uses libpcap to acquire packets from a network interface and packs them into blocks of bytes that represent PCAP packet records.
The first captured packet also triggers emission of a PCAP file header so downstream operators can treat the packet stream as a valid PCAP capture file.
Use read_pcap to parse the emitted PCAP byte stream into packet events.
iface: str
Section titled “iface: str”The interface to load bytes from.
snaplen = int (optional)
Section titled “snaplen = int (optional)”Sets the snapshot length of the captured packets.
This value is an upper bound on the packet size. Packets larger than this size get truncated to snaplen bytes.
Defaults to 262144.
emit_file_headers = bool (optional)
Section titled “emit_file_headers = bool (optional)”Creates PCAP file headers for every flushed batch.
The operator emits chunks of bytes that represent a stream of packets. When setting emit_file_headers, every chunk gets its own PCAP file header instead of only the very first one. This yields a continuous stream of concatenated PCAP files.
Our read_pcap operator can handle such concatenated traces and optionally re-emit those file headers as separate events.
Examples
Section titled “Examples”Load raw PCAP bytes from eth0
Section titled “Load raw PCAP bytes from eth0”load_nic "eth0"Parse packets from eth0
Section titled “Parse packets from eth0”load_nic "eth0"read_pcapPerform the equivalent of tcpdump -i en0 -w trace.pcap
Section titled “Perform the equivalent of tcpdump -i en0 -w trace.pcap”load_nic "en0"save_file "trace.pcap"