This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using the wireshark pcap file capture data as Splunk Log Data

0

Can i use the wireshark pcap file capture data and store the data into Splunk for indexing?

asked 15 Apr '12, 18:51

misteryuku's gravatar image

misteryuku
20242630
accept rate: 0%

edited 15 Apr '12, 18:51


2 Answers:

0

Probably. Using either Wireshark, or more likely tshark and setting options to output only the fields required and using a csv format the data could be fed into Splunk.

If you can explain exactly what data you wish to extract from the pcap files someone should be able to give you a recipe for doing that.

Actually getting the data into Splunk is not a suitable topic for this site though.

answered 16 Apr '12, 00:01

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

Well, if you check on the Splunk Q&A site, that question appears to have been answered already, and the answer, sadly, is "no", as Splunk appears, at least from what one answer to that question says, to read only text files, and pcap files are NOT text files. Other answers seem to indicate that if you feed a pcap file to TShark and have it print out the file in verbose format, Splunk can read the resulting text file.

answered 16 Apr '12, 01:00

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

So the way is to convert the pcap to a csv file using tshark commands is that right???

(16 Apr '12, 01:25) misteryuku

In the answer on the Splunk Q&A site, they converted it to a human-readable display of the full protocol tree, not a CSV file. If you want further help in getting Splunk to process a pcap file, the best place to ask is on the Spunk Q&A site, as those people are more likely to know what Splunk would most usefully process.

(16 Apr '12, 10:13) Guy Harris ♦♦