Refine your search:

Splunk - monitoring a wireshark file

2

i'm newbie to splunk and i'm trying to get splunk monitor a capture file from Wireshark. i set wireshark to capture traffic on a cap file and had splunk to monitor that file. I'm trying to see captured traffic and search inside that cap file to no avail. Any help?

asked 25 May '10, 15:29

offtheboxuser's gravatar image

offtheboxuser
2112
accept rate: 0%

edited 25 May '10, 19:13

piebob's gravatar image

piebob ♦♦
2.4k1516
3 Answers:
oldestnewestmost voted
4

My approach that is used in a production environment and works like a charm, I should note that I am not reading a file I am collecting this live as it happens on an interface that is connected to a switch SPAN port.

tshark_script.sh

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

I then install the Splunk Light Forwarder and have it monitor the /tshark/splunk/gtp/ directory.

I have a cron that restarts tshark after a set period of time to avoid any memory/disk space issues and cleans up temp files.

Sample log output

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00
link

answered 25 Mar '11, 21:07

jerrad's gravatar image

jerrad
1353
accept rate: 40%

4

The default format for wireshark/tcpdump/tshark is not a text file format. The ".cap" pcap format is a binary one. Splunk won't have the intimate knowledge of the pcap binary format to be able to process it natively.

From the manpage for tshark (command line wireshark):

   If you want to write the decoded form of packets to a file, 
   run TShark without the -w option, and redirect its standard 
   output to the file (do not use the -w option).

   When writing packets to a file, TShark, by default, writes the file
   in libpcap format, and writes all of the packets it sees to the output file.
link

answered 25 May '10, 15:39

dwaddle's gravatar image

dwaddle ♦
11.2k1516
accept rate: 34%

2

Per this thread, it sounds like you can transform a .cap file to text using a command like this:

tshark -r {file} -V

You could set up a Splunk scripted input using the command line above for one-time import of a single cap file.

This doesn't help you for up-to-the-second packet capture, but with some scripting fu you could probably cut new tshark CAP files every so often (e.g. every hour) and then use the scripted approach above to transform each new file into the text that Splunk needs.

link

answered 25 May '10, 16:55

Justin%20Grant's gravatar image

Justin Grant
1.5k6739
accept rate: 50%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×5

Asked: 25 May '10, 15:29

Seen: 2,149 times

Last updated: 18 Apr, 00:51

Related questions

Monitoring a wireshark file using Splunk

Adding data from Wireshark capture windows txt file into Splunk

Getting logs out of txt files converted from wireshark captures pcap file

Setting up input for file monitoring

File-change monitoring with Splunk -- how?

When a file is already set to index to splunk, and that file gets overwritten with updates, meaning instead of file being appended, does splunk smart enough to not to reindex already indexed data and only index what's newly aded?

How to move uploaded file to directory splunk is monitoring?

File monitoring not working after re-enabling

Copyright © 2005-2012 Splunk, Inc. All rights reserved.