In my previous post i explained all needed details how to get started with the “PCAP Analyzer for Splunk”.
With this post I am going to describe the Top Talker Overview Dashboard in the application.
The main idea behind this Dashboard is to perform a top talker analysis by understanding which Conversation / Server / Protocol / VLAN / Port produced the highest traffic within the captured time period.
Sometimes it can be very helpful to understand if you suffer from problems due to an overload within your network.
As soon as you successful indexed your pcap file you can open the “PCAP Analyzer for Splunk” and click on the Top Talker Overview Dashboard.
To see the data of your pcap file you need to choose your file from the drop-down menu and specify a timechart span.
Keep in mind that by changing the timechart span you have to use the same format as if you would use the timechart command within a search query.
In my example (network capture taken on my fritzbox) the capture covers around 5 minutes, so i decided to use a span of 10 seconds (10s).
The panels in the first row show the traffic in the amount of packets (pie chart).
For example in the first panel (Top Protocols (Packets)) you can see the number of packets exchanged for that specific protocol.
The whole first row gives you a first idea of what is going on in your network.
For the following rows we have all panels showing the traffic as the calculated sum of bytes over time.
It is interesting sometimes if even the number of packets are low the sum of the bytes can be very high.
The panels are configured as “stacked” area chart to show the full amount of data transmitted over time in your network.
Please find more details at https://devops-online.com/pcap-analyzer/
In case you have other questions or problems, please contact me via Email or write into the comments.