Hi,
I am trying to analyze a static PCAP file. I have point splunk to the pcap file using "Data inputs » PCAP File Location". But when I view the Top Talker Overview, with "Selcet tcpdump file" as "All" or "C:\Program Files\Splunk\etc\apps\SplunkForPCAP\bin\pcap2csv.bat" , the search status is always "Search is waiting for input...".
As an alternative, I have managed to conver the pcap file to cvs using wireshark and upload the data to splunk, but I still like to use the app as a reference on what I can see from a pcap file.
May I know what else do I need to do to view the pcap file using the app?
Hi everyone.
I've just uploaded a new version (4.1.5) on splunkbase which will fix the problem.
https://splunkbase.splunk.com/app/2748/
Best regards,
I tested and confirmed that the new version is working with Win 10.
Thank you
Hi, it seems related to your python installation. Which version do you have installed?
I'm running with 2.7.12+.
Hello,
I am trying with Windows but still same problem.What's the right path to save here?
I've published a short getting started post at https://devops-online.com/pcap-analyzer-for-splunk-getting-started/
Please go through this points.
Your pcap file should appear with the same name in the dropdown menu.
If not, please make sure the points in the post are done.
I did point UI--> PCAP File Location to my pcap file. From search "Data Summary" I can see the index was updated just when I set the PCAP File location. But the PCAP file did not disappear from the folder. From Search, the pcap is as shown below. The information is not as detailed as when I look at it from wireshark.
PCAP Analyzer for Splunk totally could not display anything on dashboard even when I change to another tcpdump selection.
Hi,
Put the .pcap File into the folder you have specified via the UI--> PCAP File Location (e.g. C:\Temp)
(No need to Upload a csv File. The App will do it for you with the proper field extraction etc.)
Make sure Splunk_Home Variable is set and Wireshark is installed under %programfiles%.
The app checks every minute for new pcap files.
You will recognize that your convertion was successful because the file will disappear from that folder.
Let me know if you have more questions.
Best regards