Solved: Re: PCAP Analyzer for Splunk: Does anyone have the...

jtrujillo · ‎12-07-2015

I tried using the Unix one and I am getting this:

Capturing on 'Wi-Fi'
tshark: Invalid capture filter "–r SIPphone.pcap -T fields -e frame.time -e tcp.stream -e ip.src -e ip.dst -e _ws.col.Protocol -e tcp.srcport -e tcp.dstport -e tcp.len -e tcp.window_size -e tcp.flags.syn -e tcp.flags.ack -e tcp.flags.push -e tcp.flags.fin -e tcp.flags.reset -e ip.ttl -e _ws.col.Info -e tcp.analysis.ack_rtt -e vlan.id" for interface 'Wi-Fi'.

That string isn't a valid capture filter (illegal token).
See the User's Guide for a description of the capture filter syntax.

jtrujillo · ‎12-07-2015

Figured it out... the pcap2csv.sh has a char that OS X tshark doesn't like.

"do tshark –r "$f" -T fields -e f"

Notice the dash in front of the "r" is longer than the others... once I replaced that with a regular dash, it started working fine.

Maybe the dev will update in the next version.

View solution in original post

jtrujillo · ‎12-07-2015

Figured it out... the pcap2csv.sh has a char that OS X tshark doesn't like.

"do tshark –r "$f" -T fields -e f"

Notice the dash in front of the "r" is longer than the others... once I replaced that with a regular dash, it started working fine.

Maybe the dev will update in the next version.

PCAP Analyzer for Splunk: Does anyone have the tshark tokens for OS X that should be used?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases