Problem ingesting pcap file with stream modular in...

manderson7 · ‎06-13-2017

I'm attempting to ingest a pcap file per the documentation by using the modular input, and when I go through those steps, the contents of the pcap file is loaded into the stream inputs.conf stanza. I've been able to recreate this on two different systems, both windows and linux. Has anyone run into this and have any suggestions as to how to make this work?

damianpadden · ‎06-25-2018

i have created a index for testing and selected that when i ingest the pcap. also i have selected system time. All that happens is that the inputs.conf file has the content of the pcap. I cannot see any data actually in splunk.

manderson7 · ‎07-13-2017

Looks like this is to be expected. We thought it was broken because we couldn't find the data once it was ingested. Figured out how to find the data now, and the pcap ingest is working. Thanks Hal.

hrottenberg_spl · ‎07-14-2017

@manderson7 care to share any specifics on how you found the data which was unexpected? That might help the next person!

manderson7 · ‎07-17-2017

Turns out, that when you ingest a pcap via the Data Inputs/New PCAP section, it's supposed to add the pcap data into the inputs.conf. That's not really covered in the documentation.

Also, and this will seem quite obvious, but make certain you're searching in the correct time period for the data you're looking for :). That's really all that was problematic with our approach.

A feature request I'd look for in the future for this is to be able to search on the name we give the pcap when it's ingested, to make it easier to find when searching. We found yours, Hal, because it had an IP that we weren't using.

ecathalo · ‎07-20-2017

Dear manderson7,
I have the same problem than you: .pcap file content is copied into inputs.conf. What shall i do in order to be able to search the .pcap content?
Thanks for your explanation.

manderson7 · ‎07-20-2017

Narrow down the src and destination IP addresses in the pcap and search on those. That's what I had to do to find my data. Luckily, they were different than the rest of my environment. Also, when you ingest, set the pcap to use system time for easier searching.

damianpadden · ‎06-25-2018

did you manage to find where in splunk the data is kept.

This is driving me mad.

manderson7 · ‎06-25-2018

Use system time when you're ingesting, so it's easier to search the time that you uploaded. Also, maybe upload to a test index so there's less data to check.
It's not the most intuitive of setups.

hrottenberg_spl · ‎07-11-2017

Hi, are you following the steps documented here? Does Splunk let you upload the pcap file as it says on this page? If not, what happens? Are you seeing an error message or anything else that does not match the docs?

hrottenberg_spl · ‎07-11-2017

More questions: what version of splunk and Stream? How large is the pcap? I was able to successfully test this on my local system.

Problem ingesting pcap file with stream modular input

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)