I am trying to analyze a static PCAP file. I have point splunk to the pcap file using "Data inputs » PCAP File Location". But when I view the Top Talker Overview, with "Selcet tcpdump file" as "All" or "C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin\pcap2csv.bat" , the search status is always "Search is waiting for input...".
As an alternative, I have managed to conver the pcap file to cvs using wireshark and upload the data to splunk, but I still like to use the app as a reference on what I can see from a pcap file.
May I know what else do I need to do to view the pcap file using the app?
I've published a short getting started post at https://devops-online.com/pcap-analyzer-for-splunk-getting-started/
Please go through this points.
Your pcap file should appear with the same name in the dropdown menu.
If not, please make sure the points in the post are done.
I did point UI--> PCAP File Location to my pcap file. From search "Data Summary" I can see the index was updated just when I set the PCAP File location. But the PCAP file did not disappear from the folder. From Search, the pcap is as shown below. The information is not as detailed as when I look at it from wireshark.
PCAP Analyzer for Splunk totally could not display anything on dashboard even when I change to another tcpdump selection.
Put the .pcap File into the folder you have specified via the UI--> PCAP File Location (e.g. C:\Temp)
(No need to Upload a csv File. The App will do it for you with the proper field extraction etc.)
Make sure Splunk_Home Variable is set and Wireshark is installed under %programfiles%.
The app checks every minute for new pcap files.
You will recognize that your convertion was successful because the file will disappear from that folder.
Let me know if you have more questions.