topic Re: PCAP Analyzer for Splunk Not Working Properly - Windows in All Apps and Add-ons

PCAP Analyzer for Splunk Not Working Properly - Windows

genesiusj — Wed, 30 Sep 2020 00:35:12 GMT

Hello,
Unable to convert pcap file to a csv for indexing and analysis.

I followed the instructions from Daniel; however, the pcap file is not converting to a csv. Therefore, the data is not being indexed.

I gave Full rights to my ID (and all users on my laptop) to
- Wireshark folder and subfolders (for access to tshark.exe)
- SplunkForPCAP folder and subfolders (for access to ../SplunkForPCAP/bin/ folder)

I set SPLUNK_HOME variable. I tried both as a system and as a public variable.

Here is the procedure I followed
- Drop a pcap in the folder I configured for Data Inputs (PCAPanalyzerTEST)
- A few minutes later, the file is processed? and no longer in the PCAPanalyzerTEST folder
- It is in the PCAPConverted folder
- There is also a csv file in the PCAPcsv folder. However, it is zero bytes long.

Environment
- Windows 8.1 Enterprise
- Splunk Enterprise 7.2.5.1 - Single instance on laptop
- Splunk Stream 7.1.3
- Splunk PCAP Analyzer 4.1.1.0

Here are the contents of the indexes.conf and input.conf files in the Splunk home folder \etc\apps\SplunkForPCAP\local.
indexes.conf
[pcap]
coldPath = $SPLUNK_DB\pcap\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\pcap\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\pcap\thaweddb

inputs.conf
[pcap://PCAPanalyzerTEST]
host = GCJPC
index = pcap
path = C:\Users\gcj\Desktop\PCAPanalyzerTEST

Thanks in advance for any direction or advice you can offer.
God bless,
Genesius

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

rechteklebe — Mon, 20 May 2019 05:25:55 GMT

Hi Genesius,

from what I am reading there could be 2 things which can be the reason:

Try to set SPLUNK_HOME in the splunk-launch.conf and restart splunk
Make sure Wireshark is installed in standard %programfiles% folders. Is it maybe installed in a customized folder?

Since the csv file (0bytes) is already created, something is wrong on the script which either points to tshark or missing Splunk_HOME, %programfiles% variable.

Thanks,
Daniel

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

genesiusj — Mon, 20 May 2019 13:09:48 GMT

Thanks @rechteklebe
I tried both your suggestions and the csv file is still 0 bytes.
Thanks and God bless,
Genesius

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

rechteklebe — Mon, 20 May 2019 13:13:31 GMT

Can you check the following search:
"index=_internal pcap2csv"
Check for the timestamp when the convert started.

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

genesiusj — Wed, 30 Sep 2020 00:36:52 GMT

@rechteklebe
Daniel,
While searching through the events I was unable to find the start (since I have tried several times, even before I started this thread).

However, I did find some events that may be more helpful in resolving this issue.
Since the time I first install the app to the present, this type of event occurs every ~3 minutes (total 257 times).

-0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin\pcap2csv.bat"" File Not Found

pcap2csv.bat is located here C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin

@echo off
REM Daniel Schwartz
REM This script aims to check which tshark script to execute
REM Version 1.2
REM Created: December 2016
REM Updated: 08.11.2017 - Monitored folders moved to app directory.
for /f "delims=" %%i in ('"%programfiles%\Wireshark\tshark" -v ^| findstr /r (v') do set "TS=%%i"
set T=%TS:~9,2%
set H=%TS:~7,1%
for /f "delims=" %%a in ('"%programfiles%\Wireshark\tshark" -v ^| findstr /r (v ^|findstr /r v2') do set "V2="%%a""
IF NOT [%V2%] == ELSE (
IF %H% LSS 2 IF %T% LEQ 10 (
CALL "%SPLUNK_HOME%\etc\apps\SplunkForPCAP\bin\pcap2csv_1_10_x.bat"
) ELSE (
CALL "%SPLUNK_HOME%\etc\apps\SplunkForPCAP\bin\pcap2csv_1_11_x_1_12_x.bat"
)
)

Thanks and God bless,
Genesius

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

rechteklebe — Mon, 20 May 2019 14:23:40 GMT

Actually you can ignore those errors. The script checks every 3minutes if there is new .pcap file in your folder of your choice. So if you don't put a new .pcap file in the folder, there is no file to be found. The new version of the app will exclude those errors. Not in this release though.

Try to search: "index=_internal pcap2csv NOT "File Not Found""

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

genesiusj — Mon, 20 May 2019 15:08:51 GMT

@rechteklebe
Daniel,
That results with this.

05-20-2019 11:04:33.219 -0400 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin\pcap2csv.sh"": FormatMessage was unable to decode error (193), (0xc1)

Thanks and God bless,
Genesius

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

rechteklebe — Mon, 20 May 2019 15:19:44 GMT

Sorry, sh is also not of your interest.
Try to search: "index=_internal pcap2csv NOT "File Not Found" NOT ".sh""

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

genesiusj — Mon, 20 May 2019 15:33:02 GMT

@rechteklebe
Daniel,

Sorry, sh is also not of your interest.

No problem. I appreciate your help.

The new search resulted in zero events.

Thanks and God bless,
Genesius

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

genesiusj — Wed, 22 May 2019 18:57:37 GMT

@rechteklebe
Daniel,
I haven't heard back from you since your last reply.

I've attempted to use tshark to create a CSV from the original PCAP file. Then use PCAP Analyzer to search and analyze the data. I used a tshark command I found here in this SANS paper. Unfortunately, the fields the author is extracting do not match with the fields your app is extracting.

Thanks again for your help with this.

God bless,
Genesius

Re: PCAP Analyzer for Splunk Not Working Properly - Windows

rechteklebe — Thu, 23 May 2019 08:23:17 GMT

Sorry, I was not able to reply earlier.
In your case to troubleshoot better I would concentrate on the 3 bat scripts located in C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin.

Try to hard code the variables %programfiles%+%SPLUNK_HOME%.
And then execute the script manually via cmd.

Let me know what the script output says when you do it.