All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

View Packet Payload in Stream

kbecker
Communicator
‎06-26-2015 06:54 AM

Starting looking at Stream and have a good amount of tcp/udp flow events in which app is "unknown". How can I view the packets payload in Splunk in order to parse out data/create custom streams? I have enabled src_content but this doesn't show the payload for "unknown" events.

Thanks in advance.

Tags (1)
0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎06-26-2015 09:40 AM

Do you mean the src_content field is not present for flows that could not be classified (app is "unknown")? If so, it's probably because Stream didn't capture any payload packets since the src_content data is captured independently from flow classification. I'd suggest checking the packet count fields to see if these flows have anything substantial. Enabling the dest_content field may also be of value.

0 Karma
Reply

kbecker
Communicator
‎06-28-2015 02:41 PM

Correct, the src_content and dest_content fields are only populated in just under 5% of our events (this is combined after enabling src_content & dest_content for both TCP & UDP).

What are the packet count fields, packets_in & packets_out?

Is there something else I need to do to view the packet payload within Splunk or will I need to generate some pcaps to start creating parsers for our custom apps?

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎07-06-2015 12:03 PM

Yes, I'd start with checking packets_in and packets_out fields. There are also data_packets_in and data_packets_out fields indicating the number of TCP payload packets. I'd also suggest upgrading App for Stream to v 6.3 as it contains improvements in the flow classification logic.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...