Indexing PCAP header data in Splunk

I am often asked, “can i store pcap headers in splunk ?”. My response is a somewhat useless, “that’s easy”. To which the inquirer says, “if its so easy, show me; right now”. Ok. Fair point :)

We’ll do all this from the command line but first a quick overview:

– Create a new index, pcaphead,
– Create a splunk listener, udp 5000.
– Run tcpdump to print the headers
– Use netcat to send the headers to Splunk
– Run a Splunk search.

This is what it looks like on the command line.

merza-mbp15:Downloads mmerza$ # add the index using the splunk password
/opt/splunk/bin/splunk add index pcaphead -auth admin:supersecret
# add the listener specifying a new sourcetype and the index
/opt/splunk/bin/splunk add udp 5000 -sourcetype pcapheader -index pcaphead -auth admin:supersecret
# run tcpdump and pipe output to netcat
tcpdump -tttt -nn -r 0C921935F0880B5C2161B3905F8A3069.pcap
| nc -u 5000

The output from the above commands is:

Index "pcaphead" added.
Listening for UDP input on port 5000.
reading from file 0C921935F0880B5C2161B3905F8A3069.pcap, link-type EN10MB

We run a splunk search, extract the destination IP and port and count the destination IP’s and destination ports

merza-mbp15:Downloads mmerza$ /opt/splunk/bin/splunk search
| rex field=_raw "> (?<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<dst_port>\d+)"
| stats count by dst_ip dst_port'

The output of above:

Preview of: index="pcaphead" 
| rex field=_raw "> (?<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<dst_port>\d+)"
| stats count by dst_ip dst_port
dst_ip dst_port count
-------------- -------- ----- 80 122 80 74 80 7 80 10 80 15 80 15 80 60

The pcap is for Trojan ‘Nap’, aka Kelihos/Hlux. Props to the Contagio blog for posting the pcap and other intel:

Some things I ignored:
I put the password on the command shell. Not a best practice. But it makes explaining things easier.
I didn’t write a proper props.conf file to parse the fields in the tcpdump text output.
Running a search like, index=pcaphead, without some other strings is a bad idea but this is an illustration.

If you find this sort of post useful, or related to something, please leave a comment. If you don’t find it useful, leave a comment any way 😉

Monzy Merza

Monzy Merza

Posted by