PCAP Analyzer

PCAP Analyzer Splunkbase: splunkbase.splunk.com/app/2748/

Getting Started!


What is the Splunk PCAP Analyzer?

The Splunk App for PCAP files will express the pcap files into helpful charts by converting the files into a Splunk readable CSV file

How does the Splunk PCAP Analyzer works?

Included in the Splunk App there is a script which is going to convert the pcap file to a csv file which will be readed by Splunk automatically

What are the requirements to use Splunk PCAP Analyzer?

The requirement is to have “Wireshark (tshark)” installed and of course Splunk (Make sure you have set SPLUNK_HOME variable)

Which script I have to use to convert the file?

You don’t have to execute any script. The only thing you have to do is to specify the proper PCAP location of your files in the Web UI.

In case you have other questions or problems, please contact me via Email or open an issue at Github


Version Updates
1.0 Full first application
1.1 Round Trip Time Panel & Microburst Dashboard has been added
1.2 VLAN ID has been added & pcap2csv.sh repaired
2.0 Dashboard which visualize network data from the Splunk App for Stream
2.1 Added TCP stream id
2.2 Fixed Timestamp issues & Simplified Dashboards
2.3 Fixed %Packet Loss Panel & fixed pcap2csv.sh script & added pcap2csv scripts for different tshark versions
3.0 New Dashboard for DNS & New Dashboard for Conversations (Sankey) & Fixed field extraction problems & Optimized script usage
3.1 Several bug fixes
3.2 Several bug fixes
3.3 Several bug fixes
4.0 Automatic script execution & Dashboard optimization
4.0.1 Fixed automatic script to catch tshark versions starting from 2.x.x
4.0.1 Added number of 3-way handshakes to the Detailed Dashboard & Improved DNS Dashboard & Improved Top Talker Dashboard
4.1 Fixed automatic script to catch tshark versions starting from 2.x.x
4.1.1 Fixed variable issues in the scripts to convert pcap files
4.1.2 Fixed pcap2csv.(sh|bat) scripts to catch properly tshark versions 2.x.x & Increased automatic execution interval from 30 seconds to 60 seconds & Fixed Detailed Dashboard to avoid automatic execution at the beginning & Added TCP Errors by SourceIP + TCP Error statistic panel into Detailed Dashboard & Added DNS time + HTTP time & Added MAC addresses into the Top Talker Dashboard
4.1.3 Repaired pcap2csv.bat
4.1.4 Added SMB / SMB2 / RPC time value & Fixed field validation with ARP protocol packets & Optimized NFS Dashboard