Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting logs out of txt files converted from wireshark captures pcap file

misteryuku
Communicator
‎04-18-2012 02:19 AM

Based on the question asked on http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file
Jerrad showed a sample log output. So the log output is shown in Splunk search app whenever you search for this sample log data? So how did Jerrad manage to output the sample log :

Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00

from the wireshark pcap txt file? as in GETTING LOGS OUT from the wireshark capture file in txt file? Does anyone have any idea??

So just to ask. That means,To get the logs form wireshark pcap txt file, set the capture settings in the first place and what you choose to save,create field extractions in props.conf and transforms.conf ?? is it?? Is that the way do do it? Overall i would like to know the whole process of doing this cos i still don't understand the answers given for the question : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file

Tags (2)
Reply

MuS
Legend
‎04-18-2012 03:40 AM

hi misteryuku

this is my final approach to help you with this topic ..... did you read and understand Jerrad's post?

He was NOT using wireshark, he was using tshark with a hell lot of option to get your posted sample log in his output log. this sample log was NOT produced in this form by splunk but by tshark

try to set tshark the way Jerrad did:

date=`date +"%m-%d-%y_%H-%M"`
tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac > /tshark/splunk/gtp/tshark_gtp_$date

and index that file /tshark/splunk/gtp/tshark_gtp_* , forget about props.conf and transforms.conf this would lead into another bunch of questions on how to do it.

cheers

PS: no eth3 is not your network interface and you probably don't have a /tshark/splunk/gtp/ path as well......

Reply

misteryuku
Communicator
‎04-18-2012 05:15 AM

Okay. Understood.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...