Indexing PCAP header data in Splunk

I am often asked, “can i store pcap headers in splunk ?”. My response is a somewhat useless, “that’s easy”. To which the inquirer says, “if its so easy, show me; right now”. Ok. Fair point

We’ll do all this from the command line but first a quick overview:

- Create a new index, pcaphead,
- Create a splunk listener, udp 5000.
- Run tcpdump to print the headers
- Use netcat to send the headers to Splunk
- Run a Splunk search.

This is what it looks like on the command line.

merza-mbp15:Downloads mmerza$ # add the index using the splunk password
/opt/splunk/bin/splunk add index pcaphead -auth admin:supersecret
# add the listener specifying a new sourcetype and the index
/opt/splunk/bin/splunk add udp 5000 -sourcetype pcapheader -index pcaphead -auth admin:supersecret
# run tcpdump and pipe output to netcat
tcpdump -tttt -nn -r 0C921935F0880B5C2161B3905F8A3069.pcap
| nc -u 192.168.4.200 5000
^C

The output from the above commands is:

Index "pcaphead" added.
Listening for UDP input on port 5000.
reading from file 0C921935F0880B5C2161B3905F8A3069.pcap, link-type EN10MB
(Ethernet)
^C

We run a splunk search, extract the destination IP and port and count the destination IP’s and destination ports

merza-mbp15:Downloads mmerza$ /opt/splunk/bin/splunk search
'index="pcaphead"
| rex field=_raw "> (?<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<dst_port>\d+)"
| stats count by dst_ip dst_port'

The output of above:

Preview of: index="pcaphead"
| rex field=_raw "> (?<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<dst_port>\d+)"
| stats count by dst_ip dst_port
dst_ip dst_port count
-------------- -------- -----
1.172.19.122 80 122
1.173.161.207 80 74
1.175.227.137 80 7
1.177.15.190 80 10
2.133.108.18 80 15
2.134.220.217 80 15
2.134.23.57 80 60
...snip...

The pcap is for Trojan ‘Nap’, aka Kelihos/Hlux. Props to the Contagio blog for posting the pcap and other intel:

http://contagiodump.blogspot.com/2013/02/trojan-nap-aka-kelihoshlux-status.html

Some things I ignored:
I put the password on the command shell. Not a best practice. But it makes explaining things easier.
I didn’t write a proper props.conf file to parse the fields in the tcpdump text output.
Running a search like, index=pcaphead, without some other strings is a bad idea but this is an illustration.

If you find this sort of post useful, or related to something, please leave a comment. If you don’t find it useful, leave a comment any way