Splunk Search

How to configure level of details splunk stream provides from pcaps?

AlesFrohlich
Explorer

Hello,

Can anyone help to clarify if it is possible to configure/enhance a level of details splunk stream provides from pcaps? I was testing upload of small pcap file with only one package (tls 1.0 handshake package) and the result was:
alt text

here is cli output when I was uploading the pcap. There is a netflow error but I do not expect any netflows there:

[root@xxxx splunk]# sudo -u splunker ./etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r /tmp/2500857281303226393.pcap --index stream_pcap
06:40:56.334 INFO  stream.CaptureServer - Found DataDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/data
06:40:56.334 INFO  stream.CaptureServer - Found UIDirectory: /opt/splunk/etc/apps/Splunk_TA_stream/ui
06:40:56.895 INFO  stream.StreamSender - Successfully pinged server (config needs update): 1fbf522d-9e4d-489f-8f76-dc472e672025
06:40:56.895 INFO  stream.CaptureServer - Default configuration directory: /opt/splunk/etc/apps/Splunk_TA_stream/default
06:40:56.897 INFO  stream.CaptureServer - Start sending pcap data
06:40:56.898 INFO  stream.StreamSender - Successfully pinged server (config needs update): 1fbf522d-9e4d-489f-8f76-dc472e672025
06:40:56.942 INFO  stream.CaptureServer - Configuring offline capture with pcap file /tmp/2500857281303226393.pcap
06:40:56.943 INFO  stream.CaptureServer - Starting data capture
06:40:56.944 INFO  stream.SnifferReactor - Starting network capture: sniffer
06:40:56.947 ERROR stream.CaptureServer - NetFlow receiver configuration is not set in streamfwd.conf. NetFlow data will not be captured. Please update streamfwd.conf to include correct NetFlow receiver configuration.
06:40:56.947 ERROR stream.CaptureServer - File extraction is enabled in one of the streams but file mount point information is not set in streamfwd.conf. Extracted files will not get saved in file system.
06:40:56.947 INFO  stream.SnifferReactor - All capture devices have finished: sniffer
06:40:56.947 INFO  stream.main - streamfwd has started successfully (version 7.1.1 build 137)
06:40:57.198 INFO  stream.StreamSender - (#0) Connection established to 127.0.0.1:8889
06:40:57.448 INFO  stream.CaptureServer - Finished sending pcap data; shutting down
06:40:57.448 INFO  stream.main - streamfwd is shutting down pid: 20041

Thank you in advance for any help.

Regards,
A.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...