Splunk Search

How to matching tcpdump data?

tnhtnh
New Member

Hey

I'm trying to create a search app for tcpdump - a splunk version of mk-tcp-model.

I need to somehow associate the tcpdump packets with one another. For example the tcpdump ouptut im ingesting is:

2011-08-15 13:28:36.851862 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 78
2011-08-15 13:28:36.853024 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 64
2011-08-15 13:28:36.853138 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:36.853230 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 37
2011-08-15 13:28:36.853321 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 99
2011-08-15 13:28:40.862205 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 22
2011-08-15 13:28:40.862334 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 64
2011-08-15 13:28:40.862379 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 9
2011-08-15 13:28:40.862438 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:40.863192 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 19
2011-08-15 13:28:40.863448 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 175
2011-08-15 13:28:40.863543 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 16
2011-08-15 13:28:40.863646 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 113
2011-08-15 13:28:41.590145 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 5

The contains the query and response in sequence -eg:

2011-08-15 13:28:36.851862 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 78
2011-08-15 13:28:36.853024 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 64

A single query that took 13:28:36.853024 -13:28:36.851862 seconds to execute.

2011-08-15 13:28:36.853138 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:36.853230 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 37

A single query that took 13:28:36.853230 -13:28:36.853138 seconds to execute.

and so on..

So I'm having trouble building a transaction within spunk for them. I'm not sure if I can or not.

It hink this is what will work:

source="/tmp/tcpdump.out"  sourcetype="out-too_small" | rename srcipport as ipport  | rename dstipport as ipport  | transaction ipport maxevents=2

Has anyone else done this before?

Labels (1)
0 Karma

scentoni_splunk
Splunk Employee
Splunk Employee

Sorry this is probably too late to help you, but maybe it will help others trying to do this:

| eval channel=if( srcip . srcport < dstip . dstport,
    printf("%s:%s-%s:%s",srcip,srcport,dstip,dstport),
    printf("%s:%s-%s:%s",dstip,dstport,srcip,srcport))
| transaction channel

What you want to compare is not exactly a 4-tuple but a set of two 2-tuples. Since the directionality is not relevant, we arbitrarily sort the list of two (ip,port) 2-tuples {src, dst} so that the first one is less than the second one.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I think transaction is the right way to go, but you should probably consider a different set of field extractions and transaction fields.

A single TCP session is identifiable by a 4-tuple -- (source_ip,source_port,dest_ip,dest_port). You need to extract ALL of these and use them ALL as the grouping fields on your transaction command.

I think one issue here, though, is that the definition of source_ip and dest_ip change depending on which participant in the session is sending the packet. I see where you tried to fix that via rename -- but I'm not sure that will work in all cases.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...