Splunk Search

Matching tcpdump data

New Member

Hey

I'm trying to create a search app for tcpdump - a splunk version of mk-tcp-model.

I need to somehow associate the tcpdump packets with one another. For example the tcpdump ouptut im ingesting is:

2011-08-15 13:28:36.851862 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 78
2011-08-15 13:28:36.853024 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 64
2011-08-15 13:28:36.853138 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:36.853230 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 37
2011-08-15 13:28:36.853321 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 99
2011-08-15 13:28:40.862205 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 22
2011-08-15 13:28:40.862334 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 64
2011-08-15 13:28:40.862379 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 9
2011-08-15 13:28:40.862438 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:40.863192 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 19
2011-08-15 13:28:40.863448 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 175
2011-08-15 13:28:40.863543 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 16
2011-08-15 13:28:40.863646 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 113
2011-08-15 13:28:41.590145 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 5

The contains the query and response in sequence -eg:

2011-08-15 13:28:36.851862 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 78
2011-08-15 13:28:36.853024 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 64

A single query that took 13:28:36.853024 -13:28:36.851862 seconds to execute.

2011-08-15 13:28:36.853138 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:36.853230 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 37

A single query that took 13:28:36.853230 -13:28:36.853138 seconds to execute.

and so on..

So I'm having trouble building a transaction within spunk for them. I'm not sure if I can or not.

It hink this is what will work:

source="/tmp/tcpdump.out"  sourcetype="out-too_small" | rename srcipport as ipport  | rename dstipport as ipport  | transaction ipport maxevents=2

Has anyone else done this before?

0 Karma

SplunkTrust
SplunkTrust

I think transaction is the right way to go, but you should probably consider a different set of field extractions and transaction fields.

A single TCP session is identifiable by a 4-tuple -- (source_ip,source_port,dest_ip,dest_port). You need to extract ALL of these and use them ALL as the grouping fields on your transaction command.

I think one issue here, though, is that the definition of source_ip and dest_ip change depending on which participant in the session is sending the packet. I see where you tried to fix that via rename -- but I'm not sure that will work in all cases.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!