All Apps and Add-ons

Problem ingesting pcap file with stream modular input

manderson7
Contributor

I'm attempting to ingest a pcap file per the documentation by using the modular input, and when I go through those steps, the contents of the pcap file is loaded into the stream inputs.conf stanza. I've been able to recreate this on two different systems, both windows and linux. Has anyone run into this and have any suggestions as to how to make this work?

damianpadden
New Member

i have created a index for testing and selected that when i ingest the pcap. also i have selected system time. All that happens is that the inputs.conf file has the content of the pcap. I cannot see any data actually in splunk.

0 Karma

manderson7
Contributor

Looks like this is to be expected. We thought it was broken because we couldn't find the data once it was ingested. Figured out how to find the data now, and the pcap ingest is working. Thanks Hal.

hrottenberg_spl
Splunk Employee
Splunk Employee

@manderson7 care to share any specifics on how you found the data which was unexpected? That might help the next person!

0 Karma

manderson7
Contributor

Turns out, that when you ingest a pcap via the Data Inputs/New PCAP section, it's supposed to add the pcap data into the inputs.conf. That's not really covered in the documentation.

Also, and this will seem quite obvious, but make certain you're searching in the correct time period for the data you're looking for :). That's really all that was problematic with our approach.

A feature request I'd look for in the future for this is to be able to search on the name we give the pcap when it's ingested, to make it easier to find when searching. We found yours, Hal, because it had an IP that we weren't using.

0 Karma

ecathalo
Explorer

Dear manderson7,
I have the same problem than you: .pcap file content is copied into inputs.conf. What shall i do in order to be able to search the .pcap content?
Thanks for your explanation.

0 Karma

manderson7
Contributor

Narrow down the src and destination IP addresses in the pcap and search on those. That's what I had to do to find my data. Luckily, they were different than the rest of my environment. Also, when you ingest, set the pcap to use system time for easier searching.

0 Karma

damianpadden
New Member

did you manage to find where in splunk the data is kept.

This is driving me mad.

0 Karma

manderson7
Contributor

Use system time when you're ingesting, so it's easier to search the time that you uploaded. Also, maybe upload to a test index so there's less data to check.
It's not the most intuitive of setups.

0 Karma

hrottenberg_spl
Splunk Employee
Splunk Employee

Hi, are you following the steps documented here? Does Splunk let you upload the pcap file as it says on this page? If not, what happens? Are you seeing an error message or anything else that does not match the docs?

0 Karma

hrottenberg_spl
Splunk Employee
Splunk Employee

More questions: what version of splunk and Stream? How large is the pcap? I was able to successfully test this on my local system.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...