Splunk Search

How to configure level of details splunk stream provides from pcaps?

AlesFrohlich
Explorer

Hello,

Can anyone help to clarify if it is possible to configure/enhance a level of details splunk stream provides from pcaps? I was testing upload of small pcap file with only one package (tls 1.0 handshake package) and the result was:
alt text

here is cli output when I was uploading the pcap. There is a netflow error but I do not expect any netflows there:

[root@xxxx splunk]# sudo -u splunker ./etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r /tmp/2500857281303226393.pcap --index stream_pcap
06:40:56.334 INFO  stream.CaptureServer - Found DataDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/data
06:40:56.334 INFO  stream.CaptureServer - Found UIDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/ui
06:40:56.895 INFO  stream.StreamSender - Successfully pinged server (config needs update): 1fbf522d-9e4d-489f-8f76-dc472e672025
06:40:56.895 INFO  stream.CaptureServer - Default configuration directory: /opt/splunk/etc/apps/Splunk_TA_stream/default
06:40:56.897 INFO  stream.CaptureServer - Start sending pcap data
06:40:56.898 INFO  stream.StreamSender - Successfully pinged server (config needs update): 1fbf522d-9e4d-489f-8f76-dc472e672025
06:40:56.942 INFO  stream.CaptureServer - Configuring offline capture with pcap file /tmp/2500857281303226393.pcap
06:40:56.943 INFO  stream.CaptureServer - Starting data capture
06:40:56.944 INFO  stream.SnifferReactor - Starting network capture: sniffer
06:40:56.947 ERROR stream.CaptureServer - NetFlow receiver configuration is not set in streamfwd.conf. NetFlow data will not be captured. Please update streamfwd.conf to include correct NetFlow receiver configuration.
06:40:56.947 ERROR stream.CaptureServer - File extraction is enabled in one of the streams but file mount point information is not set in streamfwd.conf. Extracted files will not get saved in file system.
06:40:56.947 INFO  stream.SnifferReactor - All capture devices have finished: sniffer
06:40:56.947 INFO  stream.main - streamfwd has started successfully (version 7.1.1 build 137)
06:40:57.198 INFO  stream.StreamSender - (#0) Connection established to 127.0.0.1:8889
06:40:57.448 INFO  stream.CaptureServer - Finished sending pcap data; shutting down
06:40:57.448 INFO  stream.main - streamfwd is shutting down pid: 20041

Thank you in advance for any help.

Regards,
A.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...