pcapfile
Queries packet data from a PCAP file.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Cluster administrator |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
pcapfile PATH
PATH(required)- Path to the PCAP file
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 11900 | invalid-file-path | The file does not exist or cannot be read |
| 11901 | invalid-enclosing-path | The parent directory does not exist or cannot be read |
| 11902 | missing-field | No file path specified |
| 11903 | access-denied-to-file | File access is denied |
| 11904 | permission-denied | The user does not have cluster administrator privilege |
Runtime errors
N/A
Description
The pcapfile command reads packet data from a PCAP file and returns each packet as a record. Because it returns the packet binary in the payload field, pass it to packet processing commands such as decodedhcp, decodedns, decodehttp, decodesflow, and pcapdecode.
Output fields
| Field | Type | Description |
|---|---|---|
| _time | timestamp | Packet capture time |
| payload | binary | Packet binary data |
Examples
-
Reading a PCAP file and decoding DNS packets
pcapfile /opt/logpresso/data/capture.pcap | decodednsReads packets from the PCAP file and decodes the DNS protocol using the decodedns command.