- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Viewing PCAP data in Firepower app ... ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Viewing PCAP data in Firepower app ... ?
Hi all,
Using the enconre TA with the Firepower Splunk App, PCAP data displays as for example:
rec_type=2 rec_type_desc="Packet Data" rec_type_simple=PACKET packet_len=217 packet_usec=1568254162 sensor=foo packet_sec=670888 packet=a2010000017c40553922fc41810002b00800450000c789424000330611b2a7638fa9ac1ac915becc00501fda73341650d071801872100dda00000101080a90883a57233b758a474554202f54656d706f726172795f4c697374656e5f4164647265737365732f534d535345525649434520485454502f312e310d0a486f73743a203230332e31362e32382e3130390d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a event_sec=1568254162 event_id=407 link_type=1 device_id=1
Question: How do I see the raw ASCII test for the pcap data in the aforementioned example ?
-Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. We added that switch recently. No plans however to pout any sort of decoder into the app. Its been requested a few times. If we can come up with an easy way we will but its not on the roadmap presently.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Douglas,
Thanks for your reply. I was able to append this to the query for HEX to ASCII conversion:
| rex mode=sed field=packet "s/([0-9A-Fa-f]{2})/%\1/g" | rex mode=sed field=packet "s/%[890ABCDEDFabcdef][\d\w]/-/g" | eval packet_ascii=urldecode(packet)
Seems to work well.
If there is ant feature request this would be it i.e. elegantly convert HEX to ASCII so I do not have to pivot back to FMC.
Thanks
-Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We don't perform the HEX to ASCII currently but we may insert a switch into the configuration file that does this. Converting to ASCII creates other problems though as there will be many special characters that don't mean anything. Currently, we assume customers use something like wireshark to perform the decode. With our new Splunk app you can right-click from the payload and link back into the FMC's event view for this event and see the packet decoded in the FMC UI.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
