What is a feature about tcpdump that makes it suitable for detecting Denial of Service attacks?

now we have the PCAP Analyzer for Splunk APP 🙂
https://splunkbase.splunk.com/app/2748/

so basically its something like uploading right??

Yep. and also this question we're on. Just add it as a file to monitor in Splunk and it will digest it and tail the file for any changes

Is this the question you are referring to? : I had a sample Wireshark capture data file as txt file that contains an Ocurrence of SYN Flood. I would like Splunk to monitor that file only without any real time monitoring for a time being then i will switch to real time monitoring. The capture file as well as the Splunk is located in the same local PC.

Oh yes. Mhibbin and others have already answered that. you can just monitor any txt file as a data input on Splunk. There isn't anything special to it, as long as you aren't monitoring the pcap file.

See the answer I've posted 🙂

So even if i use wireshark which you claim isn't the best tool, it is still possible to monitor its capture files but not a good tool thats all. I just want to be able to monitor wiresharks capture files as txt files using Splunk that all for time being and now.

Obviously I am the one asking the question. so Snort is the best tool ?? Snort run as a command line is it??

Interestingly if you read this question here; http://ask.wireshark.org/questions/10051/log-file-that-detects-dos it appears that they also don't believe wireshark is the best tool for this...

I am aware that DoS is unlikely to show as anonamly. I also wanted to create alerts in Splunk based on the wireshark data monitored using Splunk

I would strongly suggest that monitoring a file like this would not be a very good solution to detecting DoS. If you really wanted to try and monitor for DoS with Splunk you would be marginally better off using TCPDUMP as a scripted input and do the monitoring in realtime, however have you done a test yet to analyse how much memory packet data can consume? Alot. Finally I Would also suggest that a DoS is unlikely to show as an anomaly, it would more likely manifest itself as a normal connection that you would expect but happening by an order of magnitude.

That means i would have to specify what i would like monitor. In this case, i would like to detect log anomalies such as the occurence of Denial of Service attacks. So what do i do so that i can monitor the wireshark text file the way i want?

What are you looking to monitor in the file?

So can i use this wireshark txt file for monitoring using Splunk?

However the contents in the wireshark txt file looks like this :

Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Arrival Time: Feb 2, 2010 22:40:36.411832000 Malay Peninsula Standard Time
Epoch Time: 1265121636.411832000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
............ and so on.......

So basically you mean is that i can simply upload the text file manually.

i.e. the correct timestamp recognition is in place, and line breaking is taking place correctly. It is easier to make changes to timestamp recognition/line breaking here, as Splunk will assist in the setup (and even show you what changes are being made to the props.conf file).

If this answers your question, can you mark the answer as accpeted (the tick next to my answer), as this will show others the question does not require more attention, and helps those looking for answers. 🙂