How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory.
So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings.
However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ?
I hope this would not be treated as a duplicate question.
Personally I would still say TCPDUMP. Have a look at; http://splunk-base.splunk.com/apps/22283/splunk-visualizations it has TCPDUMP configured as an input which should give you a head start. If you want to look at DoS attacks you might be better getting a dedicated solution for DoS and feed logs from that into Splunk. Packet capture on Splunk consumes ALOT of a license. Sadly at the moment Splunks licensing model isn't geared up for things quite like this. You can also quite easily block the indexQueue
What is a feature about tcpdump that makes it suitable for detecting Denial of Service attacks?
now we have the PCAP Analyzer for Splunk APP 🙂
https://splunkbase.splunk.com/app/2748/
misteryuku,
What does your Splunk architecture consist of? - i.e. is it single installation running on one PC (e.g. your laptop or PC), or is Splunk running in a networked server and you are trying to collect data from a remote PC/laptop that runs Windows 7?
If you are running the Splunk server on your local PC/laptop AND the wireshark file is on the same physical machine, you will not need a forwarder (I think this may be were your confusion is) - A forwarder is used to collect data from a remote machine (i.e. if the wireshark file is on ANOTHER PC/laptop).
If the wireshark file is on another machine you will need to install Splunk there as a forwarder. In which case, once you have set up the remote instance of Splunk you will probably not need to use the GUI, so it may be beneficial (for system resources (i.e. CPU, memory, etc), to disable the interface.
It really depends what your architecure is ...?
Regards,
MHibbin
so basically its something like uploading right??
Yep. and also this question we're on. Just add it as a file to monitor in Splunk and it will digest it and tail the file for any changes
Is this the question you are referring to? : I had a sample Wireshark capture data file as txt file that contains an Ocurrence of SYN Flood. I would like Splunk to monitor that file only without any real time monitoring for a time being then i will switch to real time monitoring. The capture file as well as the Splunk is located in the same local PC.
Oh yes. Mhibbin and others have already answered that. you can just monitor any txt file as a data input on Splunk. There isn't anything special to it, as long as you aren't monitoring the pcap file.
See the answer I've posted 🙂
So even if i use wireshark which you claim isn't the best tool, it is still possible to monitor its capture files but not a good tool thats all. I just want to be able to monitor wiresharks capture files as txt files using Splunk that all for time being and now.
Obviously I am the one asking the question. so Snort is the best tool ?? Snort run as a command line is it??
Interestingly if you read this question here; http://ask.wireshark.org/questions/10051/log-file-that-detects-dos it appears that they also don't believe wireshark is the best tool for this...
I am aware that DoS is unlikely to show as anonamly. I also wanted to create alerts in Splunk based on the wireshark data monitored using Splunk
I would strongly suggest that monitoring a file like this would not be a very good solution to detecting DoS. If you really wanted to try and monitor for DoS with Splunk you would be marginally better off using TCPDUMP as a scripted input and do the monitoring in realtime, however have you done a test yet to analyse how much memory packet data can consume? Alot. Finally I Would also suggest that a DoS is unlikely to show as an anomaly, it would more likely manifest itself as a normal connection that you would expect but happening by an order of magnitude.
That means i would have to specify what i would like monitor. In this case, i would like to detect log anomalies such as the occurence of Denial of Service attacks. So what do i do so that i can monitor the wireshark text file the way i want?
What are you looking to monitor in the file?
So can i use this wireshark txt file for monitoring using Splunk?
However the contents in the wireshark txt file looks like this :
Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Arrival Time: Feb 2, 2010 22:40:36.411832000 Malay Peninsula Standard Time
Epoch Time: 1265121636.411832000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
............ and so on.......
So basically you mean is that i can simply upload the text file manually.
i.e. the correct timestamp recognition is in place, and line breaking is taking place correctly. It is easier to make changes to timestamp recognition/line breaking here, as Splunk will assist in the setup (and even show you what changes are being made to the props.conf file).
If this answers your question, can you mark the answer as accpeted (the tick next to my answer), as this will show others the question does not require more attention, and helps those looking for answers. 🙂