- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ta_tshark
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, it’s exciting what I needed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sol69
Please find the following instructions for configuring the add-on
Prerequisites
Wireshark Installation
- Download and install Wireshark.
- During the installation process, deselect all components except for tshark (this is the command-line tool needed for packet capture), unless you have other reasons for installing the full package.
TA-tshark app Installation
- Install the TA-tshark add-on on your Universal Forwarder (UF).
- After installation, ensure you configure the add-on to forward the necessary data.
Configuration Steps
Modify Configuration Files
- inputs.conf:
- Locate the file (often included in the app package).
- If needed, modify the configuration—by default, it is set up for Windows to capture traffic on port 53 (DNS) on the first interface.
- The input is defined with the name tshark:port53 and a specified sourcetype.
- bin/tcpdump.path:
- Adjust this file if your environment requires a different tcpdump/tshark path than what is provided.
- inputs.conf:
Enable Packet Capture
- In the inputs.conf file, find the stanza corresponding to the capture input.
- Set disabled = 0 to enable the capture feature.
Restart the Universal Forwarder (UF)
- After making all changes, restart the UF to apply the new configuration settings.
Optional: Additional Apps for Enhanced Functionality
For further insights and to extend the functionality of the installed app, consider installing the following complementary Splunk apps:
DNS Insight
DNS Insight on SplunkbaseDHCP Insight
DHCP Insight on Splunkbase
These apps provide additional analysis and visualization capabilities related to DNS and DHCP traffic.
Note - How you install the app on your UF may depend on your architecture - are you using a Deployment Server to distribute apps to your UF(s)?
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recommend exploring an alternative method for forwarding the data, as this add-on or app does not appear to be CIM-compliant. It would be best to review this documentation for more details.
https://community.splunk.com/t5/Splunk-Enterprise/Monitoring-Wireshark-usage-with-splunk/m-p/690530
https://community.splunk.com/t5/Monitoring-Splunk/Splunk-monitoring-a-wireshark-file/td-p/14218
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To configure the inputs.conf for the TA_tshark (Network Input for Windows) on Splunk, follow these steps:
Install TA_tshark:
- Install the TA_tshark on your Universal Forwarder (UF) and configure forwarding.
Modify inputs.conf:
- Open the inputs.conf file located in $SPLUNK_HOME/etc/apps/TA_tshark/local/ (create the file ).
- Add the following configuration to capture DNS traffic on port 53:
[script://<give your path>] disabled = 0 index = your_index sourcetype = tshark:port53
- Ensure the disabled attribute is set to 0 to enable the input.
Modify tcpdump.path:
- If needed, update the bin/tcpdump.path file to point to the correct path of tshark.
Restart the Universal Forwarder:
- After making these changes, restart the Universal Forwarder to apply the new configuration.
