I'm new to Stream and not particularly experienced with wire data, but we have a test box receiving a span port (for now) to capture traffic to a certain server, and have been successful in setting up tcp flow captures. We recently reached out to another team to inspect some of their data coming to our Stream test server, however, and noticed that we are seeing hardly any traffic from their server. We only have a single Splunk event per port/protocol their server, so far, and it came in a long while after we started capturing.
We have no filters in place at the moment, and are capturing only tcp traffic.
To troubleshoot, we ran a tcpdump for traffic from this team's source, where we do see all of their raw traffic as expected, and then did a direct import of that capture file. The result was that we had two Splunk events total, one for each port being used by their application. We ran three separate captures, each limited to a different number of packets: 100, 200, 1000. This produced six events in Splunk, where we assumed there would be perhaps dozens given the traffic they are generating.
The issue appears to be with certain(?) persistent connections, but perhaps this is expected behavior? To my knowledge the application sending this traffic is your typical aggregate of clients talking to a database through an application/service. IE: Client hits app, app speaks to db, we capture app to db traffic.
This Answers post appears to be reporting the same or similar, but the marked answer is not an actual solution.
... View more