All Apps and Add-ons

Problem ingesting pcap file with stream modular input

manderson7
Contributor

I'm attempting to ingest a pcap file per the documentation by using the modular input, and when I go through those steps, the contents of the pcap file is loaded into the stream inputs.conf stanza. I've been able to recreate this on two different systems, both windows and linux. Has anyone run into this and have any suggestions as to how to make this work?

damianpadden
New Member

i have created a index for testing and selected that when i ingest the pcap. also i have selected system time. All that happens is that the inputs.conf file has the content of the pcap. I cannot see any data actually in splunk.

0 Karma

manderson7
Contributor

Looks like this is to be expected. We thought it was broken because we couldn't find the data once it was ingested. Figured out how to find the data now, and the pcap ingest is working. Thanks Hal.

hrottenberg_spl
Splunk Employee
Splunk Employee

@manderson7 care to share any specifics on how you found the data which was unexpected? That might help the next person!

0 Karma

manderson7
Contributor

Turns out, that when you ingest a pcap via the Data Inputs/New PCAP section, it's supposed to add the pcap data into the inputs.conf. That's not really covered in the documentation.

Also, and this will seem quite obvious, but make certain you're searching in the correct time period for the data you're looking for :). That's really all that was problematic with our approach.

A feature request I'd look for in the future for this is to be able to search on the name we give the pcap when it's ingested, to make it easier to find when searching. We found yours, Hal, because it had an IP that we weren't using.

0 Karma

ecathalo
Explorer

Dear manderson7,
I have the same problem than you: .pcap file content is copied into inputs.conf. What shall i do in order to be able to search the .pcap content?
Thanks for your explanation.

0 Karma

manderson7
Contributor

Narrow down the src and destination IP addresses in the pcap and search on those. That's what I had to do to find my data. Luckily, they were different than the rest of my environment. Also, when you ingest, set the pcap to use system time for easier searching.

0 Karma

damianpadden
New Member

did you manage to find where in splunk the data is kept.

This is driving me mad.

0 Karma

manderson7
Contributor

Use system time when you're ingesting, so it's easier to search the time that you uploaded. Also, maybe upload to a test index so there's less data to check.
It's not the most intuitive of setups.

0 Karma

hrottenberg_spl
Splunk Employee
Splunk Employee

Hi, are you following the steps documented here? Does Splunk let you upload the pcap file as it says on this page? If not, what happens? Are you seeing an error message or anything else that does not match the docs?

0 Karma

hrottenberg_spl
Splunk Employee
Splunk Employee

More questions: what version of splunk and Stream? How large is the pcap? I was able to successfully test this on my local system.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!