All Apps and Add-ons

Viewing PCAP data in Firepower app ... ?

alexgwilkinson
Explorer

Hi all,

Using the enconre TA with the Firepower Splunk App, PCAP data displays as for example:

rec_type=2 rec_type_desc="Packet Data" rec_type_simple=PACKET packet_len=217 packet_usec=1568254162 sensor=foo packet_sec=670888 packet=a2010000017c40553922fc41810002b00800450000c789424000330611b2a7638fa9ac1ac915becc00501fda73341650d071801872100dda00000101080a90883a57233b758a474554202f54656d706f726172795f4c697374656e5f4164647265737365732f534d535345525649434520485454502f312e310d0a486f73743a203230332e31362e32382e3130390d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a event_sec=1568254162 event_id=407 link_type=1 device_id=1

Question: How do I see the raw ASCII test for the pcap data in the aforementioned example ?

-Alex

0 Karma

douglashurd
Builder

Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently.

0 Karma

alexgwilkinson
Explorer

Hi Douglas,

Thanks for your reply. I was able to append this to the query for HEX to ASCII conversion:

| rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)

Seems to work well.

If there is ant feature request this would be it i.e. elegantly convert HEX to ASCII so I do not have to pivot back to FMC.

Thanks

-Alex

0 Karma

douglashurd
Builder

We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...