Skip to main content

Network packet inspection data

  • Updated

Network packet inspection data is a type of network traffic data that represents nearly all traffic generated by devices on a network. The network packet is the fundamental element in network communications between sender and receiver and, as such, when it is collected and analyzed it provides a wealth of information.

Data visibility 

Use case possibilities pertaining to packet capture (PCAP) data are endless. This data is highly valuable to security practitioners engaged in forensic investigations tracing client/server communications or tracking down a malicious code via MD5 hash. As a network administrator, PCAP data can be used to optimize network performance, identify unmanaged devices that users connect to the network, or pinpoint issues with DNS resolution.

Data application

When your Splunk deployment is ingesting network packet inspection data, you can use the data to achieve objectives related to the following use cases:

High-value fields

In the Common Information Model, network packet inspection data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.

dest

The destination of the network traffic (the remote host).

dest_ip

The IP address of the destination.

icmp_code

The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination, Destination Unreadable, or Parameter Problem.

icmp_type

The RFC 2780 or RFC 4443 numeric value of the traffic. 

protocol

The OSI layer 3 (network) protocol of the traffic observed, written in all lower case.

session_id

The session identifier. Multiple transactions build a session

src

The source of the network traffic (the client requesting the connection).

src_ip

The IP address of the source.

top_flag

The TCP flag(s) specified in the event.

ttl

The "time to live" of a packet or diagram.

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.

Data Source

Sourcetype

Recommend Add-Ons

Zeek aka Bro

sourcetype="bro_packet_filter"

Splunk Add-on for Zeek aka Bro

Stream

sourcetype="stream"

Splunk Stream

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.