outputpcap
Writes the payload field of input records as a PCAP file to a specified file system path. Use this to capture network packets and save them to a file.
Command properties
| Property | Description |
|---|---|
| Command type | Transforming |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Not supported |
| Distributed execution | Runs on Control Node (reducer) |
Syntax
Target
FILE_PATH- File system path where the PCAP file is written. Query context references (
${}) can be used.
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
payload | binary | Required | Packet data to write to the PCAP file. Records where the value is not of byte[] type are not written and are skipped. |
_time | timestamp | Optional | Timestamp of the packet. If not set, the current time is used. |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 11802 | The FILE_PATH parameter is required for the outputpcap command. | The file path was not specified. |
| 11803 | Too many parameters for the outputpcap command. | Two or more parameters were specified. |
Runtime errors
| Error code | Message | Description | Post-processing behavior |
|---|---|---|---|
| 11800 | Access denied to the file path [file_path] for the outputpcap command. | No access permission to the file path. | Cancels the query. |
| 11804 | Cannot open the PCAP file [file] for the outputpcap command. | The PCAP file cannot be opened (path error, etc.). | Cancels the query. |
Description
The outputpcap command writes the binary data in the payload field of input records to a PCAP file. Records where the payload field is not of byte[] type are not written and are passed to the next command as-is.
The timestamp for each packet uses the value of the _time field. If the _time field is not of Date type, the current time is used. After writing, records are passed to the next command unchanged.
In a distributed environment, file writing is performed on the Control Node.
Examples
-
Save packets received from a stream as a PCAP file
logger window=5m localhost\pcap_stream | pcapdecode | outputpcap /opt/logpresso/files/capture.pcapMonitors the stream from the
pcap_streamlogger for 5 minutes and saves all packets to a PCAP file. -
Filter packets on a specific port and save
logger window=5m localhost\pcap_stream | pcapdecode | search src_port == 80 or dst_port == 80 | outputpcap /opt/logpresso/files/http.pcapFilters only packets with source or destination port 80 and saves them to a PCAP file.