All Apps and Add-ons

Viewing PCAP data in Firepower app ... ?

Explorer

Hi all,

Using the enconre TA with the Firepower Splunk App, PCAP data displays as for example:

rectype=2 rectypedesc="Packet Data" rectypesimple=PACKET packetlen=217 packetusec=1568254162 sensor=foo packetsec=670888 packet=a2010000017c40553922fc41810002b00800450000c789424000330611b2a7638fa9ac1ac915becc00501fda73341650d071801872100dda00000101080a90883a57233b758a474554202f54656d706f726172795f4c697374656e5f4164647265737365732f534d535345525649434520485454502f312e310d0a486f73743a203230332e31362e32382e3130390d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a eventsec=1568254162 eventid=407 linktype=1 deviceid=1

Question: How do I see the raw ASCII test for the pcap data in the aforementioned example ?

-Alex

0 Karma

Builder

Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently.

0 Karma

Explorer

Hi Douglas,

Thanks for your reply. I was able to append this to the query for HEX to ASCII conversion:

| rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)

Seems to work well.

If there is ant feature request this would be it i.e. elegantly convert HEX to ASCII so I do not have to pivot back to FMC.

Thanks

-Alex

0 Karma

Builder

We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI.

0 Karma