- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- TCP Dump Splunk question, please Help!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have noticed that reading an output of a TCP dump is as follows:
The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.
The receiving Host 192.168.2.165 receives the SYN flag and returns an acknowledgment flag (ACK).
The requesting Host 192.168.2.10 receives the SYN flag and returns it's own ACK flag.
But only 104 of my the network transactions are [SYN] or [SYN,ACK], the rest of the 14,711 are mostly just [ACK], which makes it even more confusing.
Whats this about and for what reason, how does I read it then?
I just want to create a splunk search that can basically group up each start and end transaction, How can this be done?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ACKs after the initial 3-way handshake are to acknowledge received packets, so you'll be seeing a lot of those. Without these ACK flags set the TCP delivery mechanisms wouldn't work. More information for instance here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Data_transfer
You can identify a unique transmission by creating a transaction based on the source host, source port, destination host and destination value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would strongly recommend going to Amazon and finding either the Stevens or Comer series on TCP/IP (or Both!) and studying up. You need to properly understand the protocols themselves before trying to use Splunk to process TCPDUMP data.
http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313
http://www.amazon.com/Internetworking-TCP-IP-Vol-5th/dp/0131876716
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys, its going to be a good journey studying TCP/IP connections with those references, ill be sure to get the ebook version for both.
Although there are so many different tools out there that pretty much snoop different varieties of TCP Dump outputs, question is which one would be best to Splunk in the future?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then, download a protocol analyzer to analyze the TCP connection data flow.
Example:
http://www.wireshark.org/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ACKs after the initial 3-way handshake are to acknowledge received packets, so you'll be seeing a lot of those. Without these ACK flags set the TCP delivery mechanisms wouldn't work. More information for instance here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Data_transfer
You can identify a unique transmission by creating a transaction based on the source host, source port, destination host and destination value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best way to create the transaction is described in my answer. The ack sequence ID's change all the time so you will have a hard time creating a transaction out of only that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please give me an example of what one transaction would look like only for the [ACK] events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No...that's not what's happening. The layers aren't interacting in that way. The TCP packets carry data, in this case HTTP data. You should read up on the OSI model and how it works. TCP is acting as a transport. HTTP works on top of it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, so what I can see in the TCP dumps is that the TCP Transport layer as the 'Source' is sending a request to the HTTP session layer as the destination to actually begin handling the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're confusing terms here. HTTP traffic happens on the session layer whereas establishing TCP connections happens on the transport layer.
"HTTP/1.1 200 OK" is not a request, it is a response. It can be a response to both a POST and a GET (or most other HTTP methods as well for that matter).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, so basically the first Ack is a Get and the next two Acks are the Responses but the first three are only the 3-way handshake Acks for the connection creation.
One more question though, is this "HTTP HTTP/1.1 200 OK" considered to be a GET request?, as in a response GET from the POST before it?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
