All Apps and Add-ons
Highlighted

PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

Hi,

I am trying to analyze a static PCAP file. I have point splunk to the pcap file using "Data inputs » PCAP File Location". But when I view the Top Talker Overview, with "Selcet tcpdump file" as "All" or "C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin\pcap2csv.bat" , the search status is always "Search is waiting for input...".

As an alternative, I have managed to conver the pcap file to cvs using wireshark and upload the data to splunk, but I still like to use the app as a reference on what I can see from a pcap file.

May I know what else do I need to do to view the pcap file using the app?

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

Hi,

Put the .pcap File into the folder you have specified via the UI--> PCAP File Location (e.g. C:\Temp)
(No need to Upload a csv File. The App will do it for you with the proper field extraction etc.)

Make sure Splunk_Home Variable is set and Wireshark is installed under %programfiles%.

The app checks every minute for new pcap files.
You will recognize that your convertion was successful because the file will disappear from that folder.

Let me know if you have more questions.

Best regards

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

I did point UI--> PCAP File Location to my pcap file. From search "Data Summary" I can see the index was updated just when I set the PCAP File location. But the PCAP file did not disappear from the folder. From Search, the pcap is as shown below. The information is not as detailed as when I look at it from wireshark.

alt text

PCAP Analyzer for Splunk totally could not display anything on dashboard even when I change to another tcpdump selection.

alt text

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

I've published a short getting started post at https://devops-online.com/pcap-analyzer-for-splunk-getting-started/
Please go through this points.
Your pcap file should appear with the same name in the dropdown menu.
If not, please make sure the points in the post are done.

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

Hi,

I'm following the steps till where I need to define a name as “myfolder” and path as “/var/tmp/” but I keep getting the error message. What does global name 'symbol' is not defined mean?

alt text

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

New Member

Hello,

I am trying with Windows but still same problem.What's the right path to save here?

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

Hi, it seems related to your python installation. Which version do you have installed?

Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

I'm running with 2.7.12+.

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

Path Finder

Hi everyone.
I've just uploaded a new version (4.1.5) on splunkbase which will fix the problem.
https://splunkbase.splunk.com/app/2748/
Best regards,

0 Karma
Highlighted

Re: PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

New Member

I tested and confirmed that the new version is working with Win 10.

Thank you

0 Karma