All Apps and Add-ons

Viewing PCAP data in Firepower app ... ?

alexgwilkinson
Explorer

Hi all,

Using the enconre TA with the Firepower Splunk App, PCAP data displays as for example:

rec_type=2 rec_type_desc="Packet Data" rec_type_simple=PACKET packet_len=217 packet_usec=1568254162 sensor=foo packet_sec=670888 packet=a2010000017c40553922fc41810002b00800450000c789424000330611b2a7638fa9ac1ac915becc00501fda73341650d071801872100dda00000101080a90883a57233b758a474554202f54656d706f726172795f4c697374656e5f4164647265737365732f534d535345525649434520485454502f312e310d0a486f73743a203230332e31362e32382e3130390d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a event_sec=1568254162 event_id=407 link_type=1 device_id=1

Question: How do I see the raw ASCII test for the pcap data in the aforementioned example ?

-Alex

0 Karma

douglashurd
Builder

Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently.

0 Karma

alexgwilkinson
Explorer

Hi Douglas,

Thanks for your reply. I was able to append this to the query for HEX to ASCII conversion:

| rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)

Seems to work well.

If there is ant feature request this would be it i.e. elegantly convert HEX to ASCII so I do not have to pivot back to FMC.

Thanks

-Alex

0 Karma

douglashurd
Builder

We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...