Network packet inspection data is a type of network traffic data that represents nearly all traffic generated by devices on a network. The network packet is the fundamental element in network communications between sender and receiver and, as such, when it is collected and analyzed it provides a wealth of information.
Data visibility
Use case possibilities pertaining to packet capture (PCAP) data are endless. This data is highly valuable to security practitioners engaged in forensic investigations tracing client/server communications or tracking down a malicious code via MD5 hash. As a network administrator, PCAP data can be used to optimize network performance, identify unmanaged devices that users connect to the network, or pinpoint issues with DNS resolution.
Data application
When your Splunk deployment is ingesting network packet inspection data, you can use the data to achieve objectives related to the following use cases:
High-value fields
In the Common Information Model, network packet inspection data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
dest
Destination of the network traffic (the remote host).
dest_ip
IP address of the destination.
icmp_code
RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination, Destination Unreadable, or Parameter Problem.
icmp_type
RFC 2780 or RFC 4443 numeric value of the traffic.
protocol
OSI layer 3 (network) protocol of the traffic observed, written in all lower case.
session_id
Session identifier. Multiple transactions build a session
src
Source of the network traffic (the client requesting the connection).
src_ip
IP address of the source.
top_flag
TCP flag(s) specified in the event.
ttl
Time to live of a packet or diagram.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
Data Source |
Sourcetype |
Recommend Add-Ons |
Zeek aka Bro |
sourcetype="bro_packet_filter" |
|
Stream |
sourcetype="stream" |
Comments
0 comments
Please sign in to leave a comment.