Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove and isolate the SRC_ADDR and Port from a tcpdump

albyva
Communicator
‎12-18-2013 09:21 PM

I've placed tcpdump for my server's interface into a cronjob that is writing the output
to a file. That file is then loaded into Splunk. I'm trying to extract the Source Address and
ports from the tcpdump data, but I'm running into a rex/regex knowledge wall.

17:05:04.419162 IP6 www.espeakers.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:07:00.950849 IP6 jail2.daycos.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:09:06.084146 IP6 greenbee.greenbeefundraising.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:14:07.998611 IP6 pdr-lan.ipv6.xtcn.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:19:03.210652 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

What I'm looking for is the rex syntax that will:

(a) Pull out the Source Address
(b) Pull out the Source Port
(c) Repeat A and B, but on the Destination Address and Port.

I tried the extract wizard, but I can't seem to get it to meet my demands.

Thanks,

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-18-2013 10:13 PM

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

View solution in original post

Reply
Solved! Jump to solution
Solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-18-2013 10:13 PM

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

Reply
Solved! Jump to solution

albyva
Communicator
‎04-25-2014 11:56 AM

Can somebody break out this search so I can create Field Extractions so it's hard coded?

0 Karma
Reply
Solved! Jump to solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 07:01 AM

You're welcome, Im glad it worked.

Reply
Solved! Jump to solution

albyva
Communicator
‎12-19-2013 04:39 AM

Thank You. This rex statement hit the nail on the spot.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...