View Packet Payload in Stream

kbecker · ‎06-26-2015

Starting looking at Stream and have a good amount of tcp/udp flow events in which app is "unknown". How can I view the packets payload in Splunk in order to parse out data/create custom streams? I have enabled src_content but this doesn't show the payload for "unknown" events.

Thanks in advance.

vshcherbakov_sp · ‎06-26-2015

Do you mean the src_content field is not present for flows that could not be classified (app is "unknown")? If so, it's probably because Stream didn't capture any payload packets since the src_content data is captured independently from flow classification. I'd suggest checking the packet count fields to see if these flows have anything substantial. Enabling the dest_content field may also be of value.

kbecker · ‎06-28-2015

Correct, the src_content and dest_content fields are only populated in just under 5% of our events (this is combined after enabling src_content & dest_content for both TCP & UDP).

What are the packet count fields, packets_in & packets_out?

Is there something else I need to do to view the packet payload within Splunk or will I need to generate some pcaps to start creating parsers for our custom apps?

vshcherbakov_sp · ‎07-06-2015

Yes, I'd start with checking packets_in and packets_out fields. There are also data_packets_in and data_packets_out fields indicating the number of TCP payload packets. I'd also suggest upgrading App for Stream to v 6.3 as it contains improvements in the flow classification logic.

View Packet Payload in Stream

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms