All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Running Stream against old PCAPS

w0lverineNOP
Path Finder
‎03-06-2015 07:47 AM

I am trying to run Stream against a few old pcaps. My set up includes the following:
Created a index that is pointing to an uploaded file of old pcaps had the Stream Forwarder pointed to the index
I have my host ip address added to the whitelist and is still being caught and indexed.

Any suggestions?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-06-2015 09:20 AM

Per the doc, you can edit the streamfwd.xml file:

Example 4: Use pcap file instead of network interface
You can also use a previously generated pcap file instead of an actual network interface, using this variation of the element.

<Interface>/tmp/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>true</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>10000000</BitsPerSecond>

Should be set to the path of your pcap file
True means use pcap, false means is a network device name
True means to play back the pcap file repeatedly for continuous load
True means to use the system time for packet timestamps
Rate limiter, defaults to 10 Mbps if undefined and is true

http://docs.splunk.com/Documentation/StreamApp/6.1.1/DeployStreamApp/ConfigureStreamForwarder

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-06-2015 09:20 AM

Per the doc, you can edit the streamfwd.xml file:

Example 4: Use pcap file instead of network interface
You can also use a previously generated pcap file instead of an actual network interface, using this variation of the element.

<Interface>/tmp/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>true</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>10000000</BitsPerSecond>

Should be set to the path of your pcap file
True means use pcap, false means is a network device name
True means to play back the pcap file repeatedly for continuous load
True means to use the system time for packet timestamps
Rate limiter, defaults to 10 Mbps if undefined and is true

http://docs.splunk.com/Documentation/StreamApp/6.1.1/DeployStreamApp/ConfigureStreamForwarder

Reply
Solved! Jump to solution

w0lverineNOP
Path Finder
‎03-11-2015 11:17 AM

Thank you!!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out &gt;&gt; Kudos to all the ...