Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Streamfwd pcap filter compilation error

Mit
Observer
‎05-08-2025 11:58 AM

I'm attempting to set up an Independent Stream Forwarder on a RHEL machine to collect netflow data, and have it forwarded to HEC on another machine. I have most of the configuration worked out, but when I start the streamfwd service I am receiving the following log messages:

INFO  [140109244728192] (SnifferReactor/SnifferReactor.cpp:161) stream.SnifferReactor - Starting network capture: sniffer
ERROR [140109244728192] (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor pcap filter 'not (host REDACTED and port 443) and not (host $decideOnStartup and port 8088)' compilation error: aid supported only on ARCnet
FATAL [140109244728192] (CaptureServer.cpp:2338) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer

 

I don't know where it's getting that filter. I attempted to set the below line in streamfwd.conf with a valid BPF, but it doesn't seem to honor it and continues with the same error.

streamfwdcapture.<N>.filter = <BPF>

 

I'm not necessarily concerned at this point with getting a working filter, but I assume the filter in the log message is the issue, since it's the only error in the log. Appreciate any help, thanks in advance.

Labels (2)
Labels
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎05-11-2025 12:40 AM

@Mit 

Can you check this. https://community.splunk.com/t5/Deployment-Architecture/streamfwd-app-error-in-var-log-splunk-stream... 

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-uninstall-Independent-Stream-Forwarder/m... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...