All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to ingest PCAP files into Splunk?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to ingest PCAP files into Splunk?
manikanta461
Explorer
07-25-2018
04:58 AM
I tried to ingest the captured pcap files manually using the following documentation and I don't see that file being indexed.
https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/UseStreamtoparsePCAPfiles
When I try the first option mentioned in the above documentation, all I see is my inputs.conf growing in size with my pcap file data, but it is not indexed into Splunk.
When I try the second option, I don't see anything working.
Can you please give me some leads on how to index the Pcap files.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Abu-Zaynab
New Member
09-21-2024
10:30 AM
Convert the pcap file to a text file before ingesting into splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
runnikrishnan_s
Splunk Employee
08-16-2019
12:10 PM
My understanding is that the pcap file upload via the Splunk Stream Web UI might have caused some kind of corruption. This may not be the right solution. However, this is a workaround that worked for me.
1. delete the (growing) inputs.conf file (which apparently contains some binary data)
2. delete the corresponding "data input" created via Splunk Web UI
Now, as per option 2 in manual, run the command via CLI which should be something like this:
./streamfwd -r
This should successfully cause the pcap file to be ingested by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
runnikrishnan_s
Splunk Employee
08-15-2019
12:04 PM
Were you able to figure this out? I am seeing the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
skalliger
Motivator
08-16-2019
03:01 AM
I'd also suggest to use the PCAP analyzer app linked above. Works well for analyzing traces.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thambisetty
SplunkTrust
07-27-2018
06:02 AM
try https://splunkbase.splunk.com/app/2748/
————————————
If this helps, give a like below.
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manikanta461
Explorer
07-27-2018
06:11 AM
Thanks for your comment, but that app needs Wireshark running on our server in order to index the Pcap files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-25-2018
06:33 AM
It's not possible for your PCAP data to be saved in your inputs.conf file. Are you sure of what you're seeing?
How are you trying to find the data?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manikanta461
Explorer
07-25-2018
10:31 PM
Yeah, this is the file "bfd-raw-auth-simple.pcap" which I tried to index into Splunk using the first method mentioned here, https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/UseStreamtoparsePCAPfiles
This is my inputs.conf file present in the location: "#SPLUNK_HOME/etc/apps/splunk_app_stream/local"
[upload_pcap://PCAP]
index = 1_mani_test
pcap_file = FieldStorage('pcap_file', 'bfd-raw-auth-simple.pcap', '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00/w\x07\x00^@\x05\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x00\x00\x00\n\x11/X\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secretN\n\x90@/w\x07\x00\x9eM\x08\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x01\x00\x00\n\x11/W\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xc2\x82\xde\x8d/w\x07\x00\xdeZ\x0b\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x02\x00\x00\n\x11/V\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secretJ\xafP//w\x07\x00\x1eh\x0e\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x03\x00\x00\n\x11/U\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xcf\x90\xe7e0w\x07\x00\x1e3\x02\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x04\x00\x00\n\x11/T\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x1b\xf2=\xb10w\x07\x00^@\x05\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x05\x00\x00\n\x11/S\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x99\xa0\xdd\x860w\x07\x00\x9eM\x08\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x06\x00\x00\n\x11/R\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x11\x8dS$0w\x07\x00\xdeZ\x0b\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x07\x00\x00\n\x11/Q\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\x94\xb2\xe4n0w\x07\x00\x1eh\x0e\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x08\x00\x00\n\x11/P\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xf8N\x96V1w\x07\x00\x1e3\x02\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\t\x00\x00\n\x11/O\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret)t\xf4\xb51w\x07\x00^@\x05\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\n\x00\x00\n\x11/N\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xa1Yz\x171w\x07\x00\x9eM\x08\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x0b\x00\x00\n\x11/M\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret$f\xcd]1w\x07\x00\xdeZ\x0b\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x0c\x00\x00\n\x11/L\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xf0\x04\x17\x891w\x07\x00\x1eh\x0e\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\r\x00\x00\n\x11/K\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secretrV\xf7\xbe2w\x07\x00\x1e3\x02\x00O\x00\x00\x00O\x00\x00\x00\x00\x00\x01\x00\x00\x01\x00\x10\x94\x00\x00\x02\x08\x00E\x00\x00=\x00\x0e\x00\x00\n\x11/J\xc0U\x01\x02\xc0\x00\x00\x01\x04\x00\x0e\xc8\x00)r1 D\x05!\x00\x00\x00\x01\x00\x00\x00\x00\x00\x0fB@\x00\x0fB@\x00\x00\x00\x00\x01\t\x02secret\xfa{y\x1c')
repeat = 0
systemTime = 1
I tried to find the data by searching in the index I mentioned above, which is "1_mani_test"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-26-2018
06:07 AM
I suggest you try one of the other methods for setting up PCAP ingestion. From my reading of the doc, configurations should be in streamfwd.conf, not inputs.conf. See the Examples section at http://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/UseStreamtoparsePCAPfiles#Examp....
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manikanta461
Explorer
07-26-2018
09:39 PM
Yeah, I tried the other two methods as well. But I'm not able to get my files to Splunk.
when I try the second method, this is the error which I get.
[root@fr0-1z00-10 bin]# ./streamfwd -r /mnt/Data/Pcapfiles/bfd-raw-auth-simple.pcap
08:01:15.421 INFO stream.CaptureServer - Found DataDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/data
08:01:15.421 INFO stream.CaptureServer - Found UIDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/ui
08:01:16.319 FATAL stream.main - Failed to start streamfwd, the process will be terminated: Unable to ping server (c060ec11-3abe-4858-bd1b-25edb89f02f5): U nable to establish connection to localhost: Connection refused
Regarding the third method, I've appended my streamfwd.conf with the following contents, and I've performed a restart, but there was no success
[streamfwd]
streamfwdcapture.0.offline = true
streamfwdcapture.0.interface = /mnt/Data/Pcapfiles
However, I suspect the issue might be in how I have installed my Stream App.
I haven't performed an SSL certification. Is it because of that? and moreover I have installed the app from my Splunk UI, which I run on my windows PC, but I have actually installed Splunk on my Linux machine.
I login to the Linux machine using ssh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
07-27-2018
05:54 AM
You're exceeding my experience with Stream, but I believe you've installed it correctly. You may want to try installing it directly on the Linux box if you can.
Check your firewalls to make sure they're not blocking Stream traffic.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Buttercup Games Tutorial Extension - part 9
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games Tutorial Extension - part 8
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Introducing the Splunk Developer Program!
Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
