topic Re: View Packet Payload in Stream in All Apps and Add-ons

View Packet Payload in Stream

kbecker — Fri, 26 Jun 2015 13:54:51 GMT

Starting looking at Stream and have a good amount of tcp/udp flow events in which app is "unknown". How can I view the packets payload in Splunk in order to parse out data/create custom streams? I have enabled src_content but this doesn't show the payload for "unknown" events.

Thanks in advance.

Re: View Packet Payload in Stream

vshcherbakov_sp — Mon, 28 Sep 2020 20:23:33 GMT

Do you mean the src_content field is not present for flows that could not be classified (app is "unknown")? If so, it's probably because Stream didn't capture any payload packets since the src_content data is captured independently from flow classification. I'd suggest checking the packet count fields to see if these flows have anything substantial. Enabling the dest_content field may also be of value.

Re: View Packet Payload in Stream

kbecker — Mon, 28 Sep 2020 20:24:03 GMT

Correct, the src_content and dest_content fields are only populated in just under 5% of our events (this is combined after enabling src_content & dest_content for both TCP & UDP).

What are the packet count fields, packets_in & packets_out?

Is there something else I need to do to view the packet payload within Splunk or will I need to generate some pcaps to start creating parsers for our custom apps?

Re: View Packet Payload in Stream

vshcherbakov_sp — Tue, 29 Sep 2020 06:36:35 GMT

Yes, I'd start with checking packets_in and packets_out fields. There are also data_packets_in and data_packets_out fields indicating the number of TCP payload packets. I'd also suggest upgrading App for Stream to v 6.3 as it contains improvements in the flow classification logic.