Adding data from Wireshark capture windows txt file into Splunk

misteryuku — Wed, 18 Apr 2012 05:25:24 GMT

Lets say i have already converted a wireshark pcap file to a windows text file, so do i need to "format" the data from the wireshark txt file to log data if i want to monitor the wireshark text data using Splunk??? I went to the Splunk manager > data inputs > Add data > Files and Directories > Data Preview > Add New. Under Add new section i selected "Continuously index data from a file or directory this Splunk instance can access" then i entered the path of the wireshark windows txt file and i saved the settings.

After that i went to the Splunk's search app to view the logs.

The logs appeared too strange for me :

2:36:17.000 PM

Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options

2 » 2/2/10
10:40:36.412 PM
Arrival Time: Feb 2, 2010 22:40:36.412684000 Malay Peninsula Standard Time
host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options

3 » 2/2/10
10:40:36.412 PM
Arrival Time: Feb 2, 2010 22:40:36.412682000 Malay Peninsula Standard Time
host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options

4 » 2/2/10
10:40:36.412 PM
Arrival Time: Feb 2, 2010 22:40:36.412681000 Malay Peninsula Standard Time
host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options

Then some look like this :

41 » 2/2/10
10:40:36.411 PM
Arrival Time: Feb 2, 2010 22:40:36.411832000 Malay Peninsula Standard Time
host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options

42 » 2/2/10
10:40:36.000 PM
Epoch Time: 1265121636.412684000 seconds
[Time delta from previous captured frame: 0.000002000 seconds]
[Time delta from previous displayed frame: 0.000002000 seconds]
[Time since reference or first frame: 0.000852000 seconds]
Frame Number: 40
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
Show all 66 lines
host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options

43 » 2/2/10
10:40:36.000 PM
Epoch Time: 1265121636.412682000 seconds
[Time delta from previous captured frame: 0.000001000 seconds]
[Time delta from previous displayed frame: 0.000001000 seconds]
[Time since reference or first frame: 0.000850000 seconds]
Frame Number: 39
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
Show all 67 lines

Every raw data for each log event shown for the wireshark txt file source doesn't seem right to me. I would like to know if there is any way to display the wireshark capture data in the windows txt file as log events correctly as in getting logs out of Wireshark pcap files????

Re: Adding data from Wireshark capture windows txt file into Splunk

Drainy — Wed, 18 Apr 2012 07:33:25 GMT

Well the txt version will still hold the same data. The actions that determine the content are your capture settings in the first place and what you choose to save. To perform useful extraction from the above data you could write your own regular expressions and then use a combination of a props.conf and a transforms.conf to performthe extraction at search or index time

topic Re: Adding data from Wireshark capture windows txt file into Splunk in Getting Data In

Adding data from Wireshark capture windows txt file into Splunk

Re: Adding data from Wireshark capture windows txt file into Splunk