Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting logs out of txt files converted from wireshark captures pcap file

misteryuku
Communicator
‎04-18-2012 02:19 AM

Based on the question asked on http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file
Jerrad showed a sample log output. So the log output is shown in Splunk search app whenever you search for this sample log data? So how did Jerrad manage to output the sample log :

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00

from the wireshark pcap txt file? as in GETTING LOGS OUT from the wireshark capture file in txt file? Does anyone have any idea??

So just to ask. That means,To get the logs form wireshark pcap txt file, set the capture settings in the first place and what you choose to save,create field extractions in props.conf and transforms.conf ?? is it?? Is that the way do do it? Overall i would like to know the whole process of doing this cos i still don't understand the answers given for the question : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file

Tags (2)
Reply

MuS
SplunkTrust
SplunkTrust
‎04-18-2012 03:40 AM

hi misteryuku

this is my final approach to help you with this topic ..... did you read and understand Jerrad's post?

He was NOT using wireshark, he was using tshark with a hell lot of option to get your posted sample log in his output log. this sample log was NOT produced in this form by splunk but by tshark

try to set tshark the way Jerrad did:

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

and index that file /tshark/splunk/gtp/tshark_gtp_* , forget about props.conf and transforms.conf this would lead into another bunch of questions on how to do it.

cheers

PS: no eth3 is not your network interface and you probably don't have a /tshark/splunk/gtp/ path as well......

Reply

misteryuku
Communicator
‎04-18-2012 05:15 AM

Okay. Understood.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...