Splunk Search

Getting logs out of txt files converted from wireshark captures pcap file


Based on the question asked on http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file
Jerrad showed a sample log output. So the log output is shown in Splunk search app whenever you search for this sample log data? So how did Jerrad manage to output the sample log :

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 128 0x584f9ea0 00:00:00:00:00:00 00:00:00:00:00:00

from the wireshark pcap txt file? as in GETTING LOGS OUT from the wireshark capture file in txt file? Does anyone have any idea??

So just to ask. That means,To get the logs form wireshark pcap txt file, set the capture settings in the first place and what you choose to save,create field extractions in props.conf and transforms.conf ?? is it?? Is that the way do do it? Overall i would like to know the whole process of doing this cos i still don't understand the answers given for the question : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file

Tags (2)


hi misteryuku

this is my final approach to help you with this topic ..... did you read and understand Jerrad's post?

He was NOT using wireshark, he was using tshark with a hell lot of option to get your posted sample log in his output log. this sample log was NOT produced in this form by splunk but by tshark

try to set tshark the way Jerrad did:

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

and index that file /tshark/splunk/gtp/tshark_gtp_* , forget about props.conf and transforms.conf this would lead into another bunch of questions on how to do it.


PS: no eth3 is not your network interface and you probably don't have a /tshark/splunk/gtp/ path as well......


Okay. Understood.

0 Karma