Read and dissect PCAP files from DuckDB
Maintainer(s):
hyehudai
Installing and Loading
INSTALL wireduck FROM community;
LOAD wireduck;
Example
-- Basic PCAP reader for local files.
D select count(*) , sum ("tcp.len") , "tcp.srcport" ,"tcp.dstport" from read_pcap('~/wireduck/fix.pcap', protocols:=['ip','tcp'],climit:=100) group by "tcp.srcport" ,"tcp.dstport" ;;
┌──────────────┬────────────────┬─────────────┬─────────────┐
│ count_star() │ sum("tcp.len") │ tcp.srcport │ tcp.dstport │
│ int64 │ int128 │ int64 │ int64 │
├──────────────┼────────────────┼─────────────┼─────────────┤
│ 429 │ 259678 │ 11001 │ 53867 │
│ 56 │ 19702 │ 53867 │ 11001 │
└──────────────┴────────────────┴─────────────┴─────────────┘
About wireduck
pcap dissector extention
Wireduck runs tshark behind the scenes utilizing wireshark's glossary to be able to parse any packet from any supported protocol to its fields. enabeling network data analysis and analytics.
Features
- read_pcap table function.
- support any protocol supported by wireshark.
- allow push down filters to wireshark using cfilter climit parameters
Prerequities
tshark (installed as part of wireshark) should be installed. validate its exists via
tshark --version
For examples and instructions check out Readme
Note: Wireduck is still experimental.