View Packet Payload in Stream

kbecker · ‎06-26-2015

Starting looking at Stream and have a good amount of tcp/udp flow events in which app is "unknown". How can I view the packets payload in Splunk in order to parse out data/create custom streams? I have enabled src_content but this doesn't show the payload for "unknown" events.

Thanks in advance.

vshcherbakov_sp · ‎06-26-2015

Do you mean the src_content field is not present for flows that could not be classified (app is "unknown")? If so, it's probably because Stream didn't capture any payload packets since the src_content data is captured independently from flow classification. I'd suggest checking the packet count fields to see if these flows have anything substantial. Enabling the dest_content field may also be of value.

kbecker · ‎06-28-2015

Correct, the src_content and dest_content fields are only populated in just under 5% of our events (this is combined after enabling src_content & dest_content for both TCP & UDP).

What are the packet count fields, packets_in & packets_out?

Is there something else I need to do to view the packet payload within Splunk or will I need to generate some pcaps to start creating parsers for our custom apps?

vshcherbakov_sp · ‎07-06-2015

Yes, I'd start with checking packets_in and packets_out fields. There are also data_packets_in and data_packets_out fields indicating the number of TCP payload packets. I'd also suggest upgrading App for Stream to v 6.3 as it contains improvements in the flow classification logic.

View Packet Payload in Stream

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!