All Apps and Add-ons

Viewing PCAP data in Firepower app ... ?

alexgwilkinson
Explorer

Hi all,

Using the enconre TA with the Firepower Splunk App, PCAP data displays as for example:

rec_type=2 rec_type_desc="Packet Data" rec_type_simple=PACKET packet_len=217 packet_usec=1568254162 sensor=foo packet_sec=670888 packet=a2010000017c40553922fc41810002b00800450000c789424000330611b2a7638fa9ac1ac915becc00501fda73341650d071801872100dda00000101080a90883a57233b758a474554202f54656d706f726172795f4c697374656e5f4164647265737365732f534d535345525649434520485454502f312e310d0a486f73743a203230332e31362e32382e3130390d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a event_sec=1568254162 event_id=407 link_type=1 device_id=1

Question: How do I see the raw ASCII test for the pcap data in the aforementioned example ?

-Alex

0 Karma

douglashurd
Builder

Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently.

0 Karma

alexgwilkinson
Explorer

Hi Douglas,

Thanks for your reply. I was able to append this to the query for HEX to ASCII conversion:

| rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)

Seems to work well.

If there is ant feature request this would be it i.e. elegantly convert HEX to ASCII so I do not have to pivot back to FMC.

Thanks

-Alex

0 Karma

douglashurd
Builder

We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!