How does pcapr-local create pcaps ID?
42 views
Skip to first unread message
Akira
May 31, 2011, 12:19:28 PM5/31/11
to pcapr-forum
Hi,
I'm trying to figure out how I can derive a pcap filename from the
pcapr ID, using the xtractr ruby gem.
When I put my pcap (lets say hello.pcap) in my pcaps directory, it
will be indexed by pcapr-local, which will assign an unique ID (an md5
hash I guess, but is not the file's one).
Since now, I'm able to access to this pcap only through this ID, as a
matter of fact, when I do a
curl 'http://127.0.0.1:8080/pcaps/1/list'
the RESTful api will return me only the indexed pcap's IDs.
Since I saw the "xtractr query language" wiki page, I've been trying
to read the field "pkt.pcap" using the xtractr ruby gem, but there is
no method mapped to do that field ( packet.field('pkt.pcap') doesn't
work.. )
Any suggestion?
thanks a lot
akira
I'm trying to figure out how I can derive a pcap filename from the
pcapr ID, using the xtractr ruby gem.
When I put my pcap (lets say hello.pcap) in my pcaps directory, it
will be indexed by pcapr-local, which will assign an unique ID (an md5
hash I guess, but is not the file's one).
Since now, I'm able to access to this pcap only through this ID, as a
matter of fact, when I do a
curl 'http://127.0.0.1:8080/pcaps/1/list'
the RESTful api will return me only the indexed pcap's IDs.
Since I saw the "xtractr query language" wiki page, I've been trying
to read the field "pkt.pcap" using the xtractr ruby gem, but there is
no method mapped to do that field ( packet.field('pkt.pcap') doesn't
work.. )
Any suggestion?
thanks a lot
akira
kowsik
May 31, 2011, 12:37:01 PM5/31/11
to pcapr...@googlegroups.com
On Tue, May 31, 2011 at 9:19 AM, Akira <marc...@gmail.com> wrote:
> Hi,
> I'm trying to figure out how I can derive a pcap filename from the
> pcapr ID, using the xtractr ruby gem.
>
> When I put my pcap (lets say hello.pcap) in my pcaps directory, it
> will be indexed by pcapr-local, which will assign an unique ID (an md5
> hash I guess, but is not the file's one).
> Since now, I'm able to access to this pcap only through this ID, as a
> matter of fact, when I do a
>
> curl 'http://127.0.0.1:8080/pcaps/1/list'
>
> the RESTful api will return me only the indexed pcap's IDs.
> Hi,
> I'm trying to figure out how I can derive a pcap filename from the
> pcapr ID, using the xtractr ruby gem.
>
> When I put my pcap (lets say hello.pcap) in my pcaps directory, it
> will be indexed by pcapr-local, which will assign an unique ID (an md5
> hash I guess, but is not the file's one).
> Since now, I'm able to access to this pcap only through this ID, as a
> matter of fact, when I do a
>
> curl 'http://127.0.0.1:8080/pcaps/1/list'
>
> the RESTful api will return me only the indexed pcap's IDs.
Assuming you have an id of say 'cafebabe', here's how you get at the
meta data for that pcap:
curl 'http://127.0.0.1:8080/pcaps/1/about/cafebabe'
This simply retrieves the CouchDB document corresponding to the
specific pcap. This document contains meta data about the pcap (size,
flows, packets, services), the indexer status as well as a few other
things. See pcapr_local/server.rb for the various registered routes.
And you can now create the Xtractr object against this endpoint:
xtractr = Mu::Xtractr.create 'http://127.0.0.1:8080/pcaps/1/pcap/cafebabe'
Regards,
The Pcapr Team
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com
Akira
May 31, 2011, 12:54:37 PM5/31/11
to pcapr-forum
Hi kowsik,
Thanks for your fast answer, it was what I needed.
However, in the meanwhile I found my -complicated- way to do it by
tacking a look at the scanner.rb source code.
So, How does pcapr-local create pcaps ID?
A: By making an MD5 digest between the filename and its size.
Here is the sample code to do that :
filename = '349cd92f69e5d98254827f30c591ed0a.pcap'
stat = File.stat(File.join(@pcap_dir, filename))
id = Digest::MD5.new
id << "#{filename}:#{stat.size}"
Maybe it could be useful to someone :)
Thank you !
On May 31, 6:37 pm, kowsik <kow...@gmail.com> wrote:
Thanks for your fast answer, it was what I needed.
However, in the meanwhile I found my -complicated- way to do it by
tacking a look at the scanner.rb source code.
So, How does pcapr-local create pcaps ID?
A: By making an MD5 digest between the filename and its size.
Here is the sample code to do that :
filename = '349cd92f69e5d98254827f30c591ed0a.pcap'
stat = File.stat(File.join(@pcap_dir, filename))
id = Digest::MD5.new
id << "#{filename}:#{stat.size}"
Maybe it could be useful to someone :)
Thank you !
On May 31, 6:37 pm, kowsik <kow...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages