Network packet inspection data is a type of network traffic data that represents nearly all traffic generated by devices on a network. The network packet is the fundamental element in network communications between sender and receiver and, as such, when it is collected and analyzed it provides a wealth of information.
Use case possibilities pertaining to packet capture (PCAP) data are endless. This data is highly valuable to security practitioners engaged in forensic investigations tracing client/server communications or tracking down a malicious code via MD5 hash. As a network administrator, PCAP data can be used to optimize network performance, identify unmanaged devices that users connect to the network, or pinpoint issues with DNS resolution.
When your Splunk deployment is ingesting network packet inspection data, you can use the data to achieve objectives related to the following use cases:
In the Common Information Model, network packet inspection data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
The destination of the network traffic (the remote host).
The IP address of the destination.
The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination, Destination Unreadable, or Parameter Problem.
The RFC 2780 or RFC 4443 numeric value of the traffic.
The OSI layer 3 (network) protocol of the traffic observed, written in all lower case.
The session identifier. Multiple transactions build a session
The source of the network traffic (the client requesting the connection).
The IP address of the source.
The TCP flag(s) specified in the event.
The "time to live" of a packet or diagram.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
Zeek aka Bro