<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Streamfwd pcap filter compilation error in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Streamfwd-pcap-filter-compilation-error/m-p/745904#M118552</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310038"&gt;@Mit&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you check this.&amp;nbsp;&lt;A href="https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-streamfwd-log/m-p/658283" target="_blank" rel="noopener"&gt;https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-streamfwd-log/m-p/658283&lt;/A&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;A href="https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-uninstall-Independent-Stream-Forwarder/m-p/278073" target="_blank"&gt;https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-uninstall-Independent-Stream-Forwarder/m-p/278073&lt;/A&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Sun, 11 May 2025 07:43:15 GMT</pubDate>
    <dc:creator>kiran_panchavat</dc:creator>
    <dc:date>2025-05-11T07:43:15Z</dc:date>
    <item>
      <title>Streamfwd pcap filter compilation error</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Streamfwd-pcap-filter-compilation-error/m-p/745798#M118534</link>
      <description>&lt;P&gt;I'm attempting to set up an Independent Stream Forwarder on a RHEL machine to collect netflow data, and have it forwarded to HEC on another machine. I have most of the configuration worked out, but when I start the streamfwd service I am receiving the following log messages:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;INFO  [140109244728192] (SnifferReactor/SnifferReactor.cpp:161) stream.SnifferReactor - Starting network capture: sniffer
ERROR [140109244728192] (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor pcap filter 'not (host REDACTED and port 443) and not (host $decideOnStartup and port 8088)' compilation error: aid supported only on ARCnet
FATAL [140109244728192] (CaptureServer.cpp:2338) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I don't know where it's getting that filter. I attempted to set the below line in streamfwd.conf with a valid BPF, but it doesn't seem to honor it and continues with the same error.&lt;/P&gt;&lt;PRE&gt;streamfwdcapture.&amp;lt;N&amp;gt;.filter = &amp;lt;BPF&amp;gt;&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm not necessarily concerned at this point with getting a working filter, but I assume the filter in the log message is the issue, since it's the only error in the log. Appreciate any help, thanks in advance.&lt;/P&gt;</description>
      <pubDate>Thu, 08 May 2025 19:01:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Streamfwd-pcap-filter-compilation-error/m-p/745798#M118534</guid>
      <dc:creator>Mit</dc:creator>
      <dc:date>2025-05-08T19:01:38Z</dc:date>
    </item>
    <item>
      <title>Re: Streamfwd pcap filter compilation error</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Streamfwd-pcap-filter-compilation-error/m-p/745904#M118552</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310038"&gt;@Mit&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you check this.&amp;nbsp;&lt;A href="https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-streamfwd-log/m-p/658283" target="_blank" rel="noopener"&gt;https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-streamfwd-log/m-p/658283&lt;/A&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;A href="https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-uninstall-Independent-Stream-Forwarder/m-p/278073" target="_blank"&gt;https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-uninstall-Independent-Stream-Forwarder/m-p/278073&lt;/A&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 11 May 2025 07:43:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Streamfwd-pcap-filter-compilation-error/m-p/745904#M118552</guid>
      <dc:creator>kiran_panchavat</dc:creator>
      <dc:date>2025-05-11T07:43:15Z</dc:date>
    </item>
  </channel>
</rss>

