topic Re: Ta_tshark in Splunk Enterprise

Ta_tshark

sol69 — Sun, 02 Mar 2025 02:38:32 GMT

How do I configure the inputs.conf for

Ta_tshark TA_tshark (Network Input for Windows) | Splunkbase

Re: Ta_tshark

kiran_panchavat — Sun, 02 Mar 2025 05:10:18 GMT

@sol69

To configure the inputs.conf for the TA_tshark (Network Input for Windows) on Splunk, follow these steps:

Install TA_tshark:
- Install the TA_tshark on your Universal Forwarder (UF) and configure forwarding.
Modify inputs.conf:
- Open the inputs.conf file located in $SPLUNK_HOME/etc/apps/TA_tshark/local/ (create the file ).
- Add the following configuration to capture DNS traffic on port 53:
```
 [script://<give your path>]
 disabled = 0
 index = your_index
 sourcetype = tshark:port53
```
- Ensure the disabled attribute is set to 0 to enable the input.
Modify tcpdump.path:
- If needed, update the bin/tcpdump.path file to point to the correct path of tshark.
Restart the Universal Forwarder:
- After making these changes, restart the Universal Forwarder to apply the new configuration.

inputs.conf - Splunk Documentation

Re: Ta_tshark

kiran_panchavat — Sun, 02 Mar 2025 05:15:48 GMT

@sol69

I recommend exploring an alternative method for forwarding the data, as this add-on or app does not appear to be CIM-compliant. It would be best to review this documentation for more details.

https://community.splunk.com/t5/Splunk-Enterprise/Monitoring-Wireshark-usage-with-splunk/m-p/690530
https://community.splunk.com/t5/Monitoring-Splunk/Splunk-monitoring-a-wireshark-file/td-p/14218

Re: Ta_tshark

livehybrid — Sun, 02 Mar 2025 07:21:10 GMT

Hi @sol69

Please find the following instructions for configuring the add-on

Prerequisites

Wireshark Installation
- Download and install Wireshark.
- During the installation process, deselect all components except for tshark (this is the command-line tool needed for packet capture), unless you have other reasons for installing the full package.
TA-tshark app Installation
- Install the TA-tshark add-on on your Universal Forwarder (UF).
- After installation, ensure you configure the add-on to forward the necessary data.

Configuration Steps

Modify Configuration Files
- inputs.conf:
  - Locate the file (often included in the app package).
  - If needed, modify the configuration—by default, it is set up for Windows to capture traffic on port 53 (DNS) on the first interface.
  - The input is defined with the name tshark:port53 and a specified sourcetype.
- bin/tcpdump.path:
  - Adjust this file if your environment requires a different tcpdump/tshark path than what is provided.
Enable Packet Capture
- In the inputs.conf file, find the stanza corresponding to the capture input.
- Set disabled = 0 to enable the capture feature.
Restart the Universal Forwarder (UF)
- After making all changes, restart the UF to apply the new configuration settings.

Optional: Additional Apps for Enhanced Functionality

For further insights and to extend the functionality of the installed app, consider installing the following complementary Splunk apps:

DNS Insight
DNS Insight on Splunkbase
DHCP Insight
DHCP Insight on Splunkbase

These apps provide additional analysis and visualization capabilities related to DNS and DHCP traffic.

Note - How you install the app on your UF may depend on your architecture - are you using a Deployment Server to distribute apps to your UF(s)?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Ta_tshark

Solo69 — Thu, 06 Mar 2025 01:05:13 GMT

Thanks, it’s exciting what I needed