All Apps and Add-ons

PCAP Analyzer for Splunk: Does anyone have the tshark tokens for OS X that should be used?

jtrujillo
Path Finder

I tried using the Unix one and I am getting this:

Capturing on 'Wi-Fi'
tshark: Invalid capture filter "–r SIPphone.pcap -T fields -e frame.time -e tcp.stream -e ip.src -e ip.dst -e _ws.col.Protocol -e tcp.srcport -e tcp.dstport -e tcp.len -e tcp.window_size -e tcp.flags.syn -e tcp.flags.ack -e tcp.flags.push -e tcp.flags.fin -e tcp.flags.reset -e ip.ttl -e _ws.col.Info -e tcp.analysis.ack_rtt -e vlan.id" for interface 'Wi-Fi'.

That string isn't a valid capture filter (illegal token).
See the User's Guide for a description of the capture filter syntax.
0 Karma
1 Solution

jtrujillo
Path Finder

Figured it out... the pcap2csv.sh has a char that OS X tshark doesn't like.

"do tshark –r "$f" -T fields -e f"

Notice the dash in front of the "r" is longer than the others... once I replaced that with a regular dash, it started working fine.

Maybe the dev will update in the next version.

View solution in original post

0 Karma

jtrujillo
Path Finder

Figured it out... the pcap2csv.sh has a char that OS X tshark doesn't like.

"do tshark –r "$f" -T fields -e f"

Notice the dash in front of the "r" is longer than the others... once I replaced that with a regular dash, it started working fine.

Maybe the dev will update in the next version.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...