All Apps and Add-ons

PCAP Analyzer for Splunk: Does anyone have the tshark tokens for OS X that should be used?

jtrujillo
Path Finder

I tried using the Unix one and I am getting this:

Capturing on 'Wi-Fi'
tshark: Invalid capture filter "–r SIPphone.pcap -T fields -e frame.time -e tcp.stream -e ip.src -e ip.dst -e _ws.col.Protocol -e tcp.srcport -e tcp.dstport -e tcp.len -e tcp.window_size -e tcp.flags.syn -e tcp.flags.ack -e tcp.flags.push -e tcp.flags.fin -e tcp.flags.reset -e ip.ttl -e _ws.col.Info -e tcp.analysis.ack_rtt -e vlan.id" for interface 'Wi-Fi'.

That string isn't a valid capture filter (illegal token).
See the User's Guide for a description of the capture filter syntax.
0 Karma
1 Solution

jtrujillo
Path Finder

Figured it out... the pcap2csv.sh has a char that OS X tshark doesn't like.

"do tshark –r "$f" -T fields -e f"

Notice the dash in front of the "r" is longer than the others... once I replaced that with a regular dash, it started working fine.

Maybe the dev will update in the next version.

View solution in original post

0 Karma

jtrujillo
Path Finder

Figured it out... the pcap2csv.sh has a char that OS X tshark doesn't like.

"do tshark –r "$f" -T fields -e f"

Notice the dash in front of the "r" is longer than the others... once I replaced that with a regular dash, it started working fine.

Maybe the dev will update in the next version.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...