Monitoring Splunk

Splunk - monitoring a wireshark file

offtheboxuser
Engager

i'm newbie to splunk and i'm trying to get splunk monitor a capture file from Wireshark. i set wireshark to capture traffic on a cap file and had splunk to monitor that file. I'm trying to see captured traffic and search inside that cap file to no avail. Any help?

Tags (1)
1 Solution

jerrad
Path Finder

My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.

tshark_script.sh

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.

I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.

Sample log output

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00

View solution in original post

jerrad
Path Finder

My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.

tshark_script.sh

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.

I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.

Sample log output

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00

Justin_Grant
Contributor

Per this thread, it sounds like you can transform a .cap file to text using a command like this:

tshark -r {file} -V

You could set up a Splunk scripted input using the command line above for one-time import of a single cap file.

This doesn't help you for up-to-the-second packet capture, but with some scripting fu you could probably cut new tshark CAP files every so often (e.g. every hour) and then use the scripted approach above to transform each new file into the text that Splunk needs.

dwaddle
SplunkTrust
SplunkTrust

The default format for wireshark/tcpdump/tshark is not a text file format. The ".cap" pcap format is a binary one. Splunk won't have the intimate knowledge of the pcap binary format to be able to process it natively.

From the manpage for tshark (command line wireshark):

   If you want to write the decoded form of packets to a file, 
   run TShark without the -w option, and redirect its standard 
   output to the file (do not use the -w option).

   When writing packets to a file, TShark, by default, writes the file
   in libpcap format, and writes all of the packets it sees to the output file.  
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...