TA_tshark (Network Input for Windows)

This TA enables direct network input on Windows using tshark (part of Wireshark package), parsing (currently DNS traffic) and search time CIM mapping.. Possible use cases ------------------ - DNS Insight https://splunkbase.splunk.com/app/1827/ - DHCP Insight https://splunkbase.splunk.com/app/1837/ Installation ------------ - install Wireshark (you can deselect all components except tshark) - install TA-tshark on UF and configure forwarding - modifiy inputs.conf and bin/tcpdump.path if needed. The provided file is configured for Windows to capture port 53 (DNS) on first interface and defines the input as "tshark:port53" sourcetype. - enable capture in inputs.conf (set disabled = 0) - restart UF Discuss the TA_tshark on Splunk Answers: http://answers.splunk.com/answers/app/4921 Contact ------- splunk@compek.net

Built by Pavel Prostin

Latest Version 0.0.3

March 15, 2024

Compatibility

Not Available

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3

Rating

0

(0)

Log in to rate this app

Support

Developer Supported addon

This TA enables direct network input on Windows using tshark (part of Wireshark package), parsing (currently DNS traffic) and search time CIM mapping.. Possible use cases ------------------ - DNS Insight https://splunkbase.splunk.com/app/1827/ - DHCP Insight https://splunkbase.splunk.com/app/1837/ Installation ------------ - install Wireshark (you can deselect all components except tshark) - install TA-tshark on UF and configure forwarding - modifiy inputs.conf and bin/tcpdump.path if needed. The provided file is configured for Windows to capture port 53 (DNS) on first interface and defines the input as "tshark:port53" sourcetype. - enable capture in inputs.conf (set disabled = 0) - restart UF Discuss the TA_tshark on Splunk Answers: http://answers.splunk.com/answers/app/4921 Contact ------- splunk@compek.net