topic Re: Monitoring a wireshark file using Splunk in Getting Data In

Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 06:03:04 GMT

How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory.

So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings.

However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ?

I hope this would not be treated as a duplicate question.

Re: Monitoring a wireshark file using Splunk

MuS — Tue, 17 Apr 2012 06:08:30 GMT

Hi misteryuku

just setup everything as you want it on the heavy forwarder and if you get the data the way you want it, go into UI - Manager - Apps and enable the light forwarder. This will disable the web UI and some other features of splunk.

cheers

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 06:16:33 GMT

Disabling the web UI and some other features of Splunk sounds like there would be disadvantages. I m quite skeptical. Cos my goal is to monitor the converted wireshark capture file in windows 7 txt file using Splunk.

Re: Monitoring a wireshark file using Splunk

MuS — Tue, 17 Apr 2012 06:20:37 GMT

enabling the light forwarder will only disable the web UI which is only used for config changes for example and data inputs to the light forwarder will not be parsed (probs.conf and transform.conf will not be processed on the light forwarder). you still will be able to monitor the directory 😉 but you reduce the system load and the footprints in the data caused by splunk

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 06:27:02 GMT

When i clicked enable light forwarder, the splunk web prompted me to restart Splunk. and there was no restart splunk button and i have to go to the Splunk's CLI. So how do i restart splunk using the CLI?

Re: Monitoring a wireshark file using Splunk

MuS — Tue, 17 Apr 2012 06:29:19 GMT

change to SPLUNK_HOME (which is the directory where Splunk is installed) and execute as splunk user:
./bin/splunk restart (on *inx)
\bin\splunk.exe restart (on Windows)

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 06:38:32 GMT

My PC is running the Windows 7 Platform. Is it done in the Windows 7 cmd line interface? calling cd?? I'm quite lost .....

Re: Monitoring a wireshark file using Splunk

MuS — Tue, 17 Apr 2012 06:51:45 GMT

hit win-r enter cmd enter cd %SPLUNK_HOME%\bin enter splunk.exe restart enter <done>

Re: Monitoring a wireshark file using Splunk

MuS — Tue, 17 Apr 2012 07:03:23 GMT

take any cmd (running or not) change dir (eq cd) into your splunk installation directory, change there into bin directory, enter there the following command \"splunk.exe restart\" without the quotes!

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 07:07:47 GMT

cd %SPLUNK_HOME%bin resulted in path cannot be found,so i entered cd Splunk then cd bin then enter splunk.exe restart enter

Re: Monitoring a wireshark file using Splunk

MHibbin — Tue, 17 Apr 2012 07:40:24 GMT

misteryuku,

What does your Splunk architecture consist of? - i.e. is it single installation running on one PC (e.g. your laptop or PC), or is Splunk running in a networked server and you are trying to collect data from a remote PC/laptop that runs Windows 7?

If you are running the Splunk server on your local PC/laptop AND the wireshark file is on the same physical machine, you will not need a forwarder (I think this may be were your confusion is) - A forwarder is used to collect data from a remote machine (i.e. if the wireshark file is on ANOTHER PC/laptop).

If the wireshark file is on another machine you will need to install Splunk there as a forwarder. In which case, once you have set up the remote instance of Splunk you will probably not need to use the GUI, so it may be beneficial (for system resources (i.e. CPU, memory, etc), to disable the interface.

It really depends what your architecure is ...?

Regards,

MHibbin

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 07:49:29 GMT

It is a single installation running on one PC. eg my laptop. My aim is to monintoring a converted wireshark file as a txt file using splunk. My wireshark file is found locally on my PC and the Splunk is also found in the same local PC as well. My PC is running Windows 7

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 07:50:48 GMT

Since if the wireshark file is on the same machine as Splunk, What is the way to monitor the wireshark file in txt file format instead of using forwarders?

Re: Monitoring a wireshark file using Splunk

MHibbin — Tue, 17 Apr 2012 08:01:31 GMT

OK, I thought that was the situation. In that case you will not need a forwarder, so DON'T turn off the GUI!

If the wireshark file is simply stored as a rolling text file (i.e. more data is appended to file, and not stored in a new file). I would set the input up as a "file monitor". The best option would be to go your manager from Splunk add another input (for example: Splunk >> Manager >> Data Inputs >> Files & directories >> New) and then follow the use the use the "Preview data before indexing" option to browse for your file and make sure all events appear as they are supposed to...

Re: Monitoring a wireshark file using Splunk

MHibbin — Tue, 17 Apr 2012 08:02:54 GMT

i.e. the correct timestamp recognition is in place, and line breaking is taking place correctly. It is easier to make changes to timestamp recognition/line breaking here, as Splunk will assist in the setup (and even show you what changes are being made to the props.conf file).

If this answers your question, can you mark the answer as accpeted (the tick next to my answer), as this will show others the question does not require more attention, and helps those looking for answers. 🙂

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 08:08:19 GMT

So basically you mean is that i can simply upload the text file manually.

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 08:09:31 GMT

However the contents in the wireshark txt file looks like this :

Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Arrival Time: Feb 2, 2010 22:40:36.411832000 Malay Peninsula Standard Time
Epoch Time: 1265121636.411832000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
............ and so on.......

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 08:10:21 GMT

So can i use this wireshark txt file for monitoring using Splunk?

Re: Monitoring a wireshark file using Splunk

Drainy — Tue, 17 Apr 2012 08:13:05 GMT

What are you looking to monitor in the file?

Re: Monitoring a wireshark file using Splunk

misteryuku — Tue, 17 Apr 2012 08:22:08 GMT

That means i would have to specify what i would like monitor. In this case, i would like to detect log anomalies such as the occurence of Denial of Service attacks. So what do i do so that i can monitor the wireshark text file the way i want?