All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Captured traffic with Wireshark and Splunk app for Stream

rubeniturrieta
Communicator
‎06-23-2015 02:21 PM

Hi to everyone

I have a new splunk instance, with Splunk App for Stream with default installation. In my machine, i have captured traffic with Wireshark (two weeks), in a folder. I need this traffic (.pcap) for Splunk App for Stream. Someone knows how to solve this?

Thanks you very much

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdickey_splunk
Splunk Employee
Splunk Employee
‎06-23-2015 04:21 PM

If the pcap files are on the same machine that your "Wire Data Input" data input (streamfwd) is running on, you should be able to use the command line parameters to send the pcap files to it. See http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/streamfwdcommandlineoptions#Rea...

Note that the streamfwd binary is platform specific. So.. if you have App for Stream installed on a 64-bit Linux server, and you have enabled the Wire Data data input (you should be able to see it's UI at http://your_hostname:8889), and you have Splunk installed in /opt/splunk:

/opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r <pcap files>

If you're on OSX instead, it would be:

/opt/splunk/etc/apps/Splunk_TA_stream/darwin_x86_64/bin/streamfwd -r <pcap files>

View solution in original post

Reply
Solved! Jump to solution
Solution

mdickey_splunk
Splunk Employee
Splunk Employee
‎06-23-2015 04:21 PM

If the pcap files are on the same machine that your "Wire Data Input" data input (streamfwd) is running on, you should be able to use the command line parameters to send the pcap files to it. See http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/streamfwdcommandlineoptions#Rea...

Note that the streamfwd binary is platform specific. So.. if you have App for Stream installed on a 64-bit Linux server, and you have enabled the Wire Data data input (you should be able to see it's UI at http://your_hostname:8889), and you have Splunk installed in /opt/splunk:

/opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r <pcap files>

If you're on OSX instead, it would be:

/opt/splunk/etc/apps/Splunk_TA_stream/darwin_x86_64/bin/streamfwd -r <pcap files>
Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎03-22-2016 12:40 AM

Hi,

Can we constantly monitor and index a pcap file generated on another machine to be able to use with Stream app?

Thanks
Hemendra

0 Karma
Reply
Solved! Jump to solution

mdickey_splunk
Splunk Employee
Splunk Employee
‎03-22-2016 09:58 AM

There currently is no way for Stream to monitor a directory for new pcap files and automatically load them. You would need to write a script that does this, and calls the above command whenever a new file is available.

0 Karma
Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎03-22-2016 06:14 PM

Thanks for your response. I will check on that and update.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...