Monitoring Splunk

Splunk - monitoring a wireshark file

offtheboxuser
Engager

i'm newbie to splunk and i'm trying to get splunk monitor a capture file from Wireshark. i set wireshark to capture traffic on a cap file and had splunk to monitor that file. I'm trying to see captured traffic and search inside that cap file to no avail. Any help?

Tags (1)
1 Solution

jerrad
Path Finder

My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.

tshark_script.sh

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.

I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.

Sample log output

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00

View solution in original post

jerrad
Path Finder

My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.

tshark_script.sh

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.

I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.

Sample log output

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00

Justin_Grant
Contributor

Per this thread, it sounds like you can transform a .cap file to text using a command like this:

tshark -r {file} -V

You could set up a Splunk scripted input using the command line above for one-time import of a single cap file.

This doesn't help you for up-to-the-second packet capture, but with some scripting fu you could probably cut new tshark CAP files every so often (e.g. every hour) and then use the scripted approach above to transform each new file into the text that Splunk needs.

dwaddle
SplunkTrust
SplunkTrust

The default format for wireshark/tcpdump/tshark is not a text file format. The ".cap" pcap format is a binary one. Splunk won't have the intimate knowledge of the pcap binary format to be able to process it natively.

From the manpage for tshark (command line wireshark):

   If you want to write the decoded form of packets to a file, 
   run TShark without the -w option, and redirect its standard 
   output to the file (do not use the -w option).

   When writing packets to a file, TShark, by default, writes the file
   in libpcap format, and writes all of the packets it sees to the output file.  
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...