All Apps and Add-ons

PCAP Analyzer for Splunk: How do I analyze a static PCAP file?

wuming79
Path Finder

Hi,

I am trying to analyze a static PCAP file. I have point splunk to the pcap file using "Data inputs » PCAP File Location". But when I view the Top Talker Overview, with "Selcet tcpdump file" as "All" or "C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin\pcap2csv.bat" , the search status is always "Search is waiting for input...".

As an alternative, I have managed to conver the pcap file to cvs using wireshark and upload the data to splunk, but I still like to use the app as a reference on what I can see from a pcap file.

May I know what else do I need to do to view the pcap file using the app?

0 Karma

rechteklebe
Path Finder

Hi everyone.
I've just uploaded a new version (4.1.5) on splunkbase which will fix the problem.
https://splunkbase.splunk.com/app/2748/
Best regards,

0 Karma

ronnietheengine
New Member

I tested and confirmed that the new version is working with Win 10.

Thank you

0 Karma

rechteklebe
Path Finder

Hi, it seems related to your python installation. Which version do you have installed?

wuming79
Path Finder

I'm running with 2.7.12+.

0 Karma

wuming79
Path Finder

Hi,

I'm following the steps till where I need to define a name as “myfolder” and path as “/var/tmp/” but I keep getting the error message. What does global name 'symbol' is not defined mean?

alt text

0 Karma

ronnietheengine
New Member

Hello,

I am trying with Windows but still same problem.What's the right path to save here?

0 Karma

rechteklebe
Path Finder

I've published a short getting started post at https://devops-online.com/pcap-analyzer-for-splunk-getting-started/
Please go through this points.
Your pcap file should appear with the same name in the dropdown menu.
If not, please make sure the points in the post are done.

0 Karma

wuming79
Path Finder

I did point UI--> PCAP File Location to my pcap file. From search "Data Summary" I can see the index was updated just when I set the PCAP File location. But the PCAP file did not disappear from the folder. From Search, the pcap is as shown below. The information is not as detailed as when I look at it from wireshark.

alt text

PCAP Analyzer for Splunk totally could not display anything on dashboard even when I change to another tcpdump selection.

alt text

0 Karma

rechteklebe
Path Finder

Hi,

Put the .pcap File into the folder you have specified via the UI--> PCAP File Location (e.g. C:\Temp)
(No need to Upload a csv File. The App will do it for you with the proper field extraction etc.)

Make sure Splunk_Home Variable is set and Wireshark is installed under %programfiles%.

The app checks every minute for new pcap files.
You will recognize that your convertion was successful because the file will disappear from that folder.

Let me know if you have more questions.

Best regards

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...