Can i use the wireshark pcap file capture data and store the data into Splunk for indexing? asked 15 Apr '12, 18:51  misteryuku edited 15 Apr '12, 18:51 |
2 Answers:
Probably. Using either Wireshark, or more likely tshark and setting options to output only the fields required and using a csv format the data could be fed into Splunk. If you can explain exactly what data you wish to extract from the pcap files someone should be able to give you a recipe for doing that. Actually getting the data into Splunk is not a suitable topic for this site though. answered 16 Apr '12, 00:01  grahamb ♦ |
Well, if you check on the Splunk Q&A site, that question appears to have been answered already, and the answer, sadly, is "no", as Splunk appears, at least from what one answer to that question says, to read only text files, and pcap files are NOT text files. Other answers seem to indicate that if you feed a pcap file to TShark and have it print out the file in verbose format, Splunk can read the resulting text file. answered 16 Apr '12, 01:00  Guy Harris ♦♦ |
So the way is to convert the pcap to a csv file using tshark commands is that right???
In the answer on the Splunk Q&A site, they converted it to a human-readable display of the full protocol tree, not a CSV file. If you want further help in getting Splunk to process a pcap file, the best place to ask is on the Spunk Q&A site, as those people are more likely to know what Splunk would most usefully process.