i'm newbie to splunk and i'm trying to get splunk monitor a capture file from Wireshark. i set wireshark to capture traffic on a cap file and had splunk to monitor that file. I'm trying to see captured traffic and search inside that cap file to no avail. Any help?
My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.
tshark_script.sh
date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date
I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.
I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.
Sample log output
Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00
My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.
tshark_script.sh
date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date
I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.
I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.
Sample log output
Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00
Per this thread, it sounds like you can transform a .cap file to text using a command like this:
tshark -r {file} -V
You could set up a Splunk scripted input using the command line above for one-time import of a single cap file.
This doesn't help you for up-to-the-second packet capture, but with some scripting fu you could probably cut new tshark CAP files every so often (e.g. every hour) and then use the scripted approach above to transform each new file into the text that Splunk needs.
The default format for wireshark/tcpdump/tshark is not a text file format. The ".cap" pcap format is a binary one. Splunk won't have the intimate knowledge of the pcap binary format to be able to process it natively.
From the manpage for tshark (command line wireshark):
If you want to write the decoded form of packets to a file, run TShark without the -w option, and redirect its standard output to the file (do not use the -w option). When writing packets to a file, TShark, by default, writes the file in libpcap format, and writes all of the packets it sees to the output file.