Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ta_tshark

sol69
Explorer
‎03-01-2025 06:38 PM

How do I configure the inputs.conf for 

Ta_tshark TA_tshark (Network Input for Windows) | Splunkbase

Labels (1)
Labels
0 Karma
Reply

Solo69
Observer
‎03-05-2025 05:05 PM

Thanks, it’s exciting what I needed

0 Karma
Reply

livehybrid
Super Champion
‎03-01-2025 11:21 PM

Hi @sol69 

Please find the following instructions for configuring the add-on

Prerequisites

  1. Wireshark Installation

    • Download and install Wireshark.
    • During the installation process, deselect all components except for tshark (this is the command-line tool needed for packet capture), unless you have other reasons for installing the full package.

  2. TA-tshark app Installation

    • Install the TA-tshark add-on on your Universal Forwarder (UF).
    • After installation, ensure you configure the add-on to forward the necessary data.

Configuration Steps

  1. Modify Configuration Files

    • inputs.conf:
      • Locate the file (often included in the app package).
      • If needed, modify the configuration—by default, it is set up for Windows to capture traffic on port 53 (DNS) on the first interface.
      • The input is defined with the name tshark:port53 and a specified sourcetype.
    • bin/tcpdump.path:
      • Adjust this file if your environment requires a different tcpdump/tshark path than what is provided.

  2. Enable Packet Capture

    • In the inputs.conf file, find the stanza corresponding to the capture input.
    • Set disabled = 0 to enable the capture feature.

  3. Restart the Universal Forwarder (UF)

    • After making all changes, restart the UF to apply the new configuration settings.

Optional: Additional Apps for Enhanced Functionality

For further insights and to extend the functionality of the installed app, consider installing the following complementary Splunk apps:

These apps provide additional analysis and visualization capabilities related to DNS and DHCP traffic.

Note - How you install the app on your UF may depend on your architecture - are you using a Deployment Server to distribute apps to your UF(s)? 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

kiran_panchavat
Influencer
‎03-01-2025 09:15 PM

@sol69 

I recommend exploring an alternative method for forwarding the data, as this add-on or app does not appear to be CIM-compliant. It would be best to review this documentation for more details.

https://community.splunk.com/t5/Splunk-Enterprise/Monitoring-Wireshark-usage-with-splunk/m-p/690530 
https://community.splunk.com/t5/Monitoring-Splunk/Splunk-monitoring-a-wireshark-file/td-p/14218 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎03-01-2025 09:02 PM

@sol69 

To configure the inputs.conf for the TA_tshark (Network Input for Windows) on Splunk, follow these steps:

  1. Install TA_tshark:

    • Install the TA_tshark on your Universal Forwarder (UF) and configure forwarding.

  2. Modify inputs.conf:

    • Open the inputs.conf file located in $SPLUNK_HOME/etc/apps/TA_tshark/local/ (create the file ).
    • Add the following configuration to capture DNS traffic on port 53:
     [script://<give your path>]
 disabled = 0
 index = your_index
 sourcetype = tshark:port53
    • Ensure the disabled attribute is set to 0 to enable the input.

  3. Modify tcpdump.path:

    • If needed, update the bin/tcpdump.path file to point to the correct path of tshark.

  4. Restart the Universal Forwarder:

    • After making these changes, restart the Universal Forwarder to apply the new configuration.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top