Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Retrieving packet data via database API

Hi,

I was interested if anyone in the community has successfully used the database API to retrieve packet data associated with one or more events. I'm mostly concerned with events which trigger on multiple packets, such as a rule matching over a stream of reassembled packets & thus the packet_time_sec and event_time_sec may not always match.

I have noticed that 'event_id' does not uniquely identify an event. The following query returns multiple packets over a long period of time, event thought the 'event_id' value is taken from an event with a single packet from a specific day. 

SELECT FROM_UNIXTIME(packet_time_sec), HEX(packet_data)

FROM intrusion_event_packet

WHERE sensor_uuid='<value>' and event_id='<value>';

Would one normally simply match the packet_time_sec with event_time_sec?

Cheers,

Cristian

166
Views
0
Helpful
0
Replies
CreatePlease login to create content