I've placed tcpdump for my server's interface into a cronjob that is writing the output
to a file. That file is then loaded into Splunk. I'm trying to extract the Source Address and
ports from the tcpdump data, but I'm running into a rex/regex knowledge wall.
17:05:04.419162 IP6 www.espeakers.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:07:00.950849 IP6 jail2.daycos.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:09:06.084146 IP6 greenbee.greenbeefundraising.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:14:07.998611 IP6 pdr-lan.ipv6.xtcn.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:19:03.210652 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
What I'm looking for is the rex syntax that will:
(a) Pull out the Source Address
(b) Pull out the Source Port
(c) Repeat A and B, but on the Destination Address and Port.
I tried the extract wizard, but I can't seem to get it to meet my demands.
Thanks,
... View more