Network packet inspection data is a type of network traffic data that represents nearly all traffic generated by devices on a network. The network packet is the fundamental element in network communications between sender and receiver and, as such, when it is collected and analyzed it provides a wealth of information.
Use case possibilities pertaining to packet capture (PCAP) data are endless. This data is highly valuable to security practitioners engaged in forensic investigations tracing client/server communications or tracking down a malicious code via MD5 hash. As a network administrator, PCAP data can be used to optimize network performance, identify unmanaged devices that users connect to the network, or pinpoint issues with DNS resolution.
When your Splunk deployment is ingesting network packet inspection data, you can use the data to achieve objectives related to the following use cases:
In the Common Information Model, network packet inspection data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
Destination of the network traffic (the remote host).
IP address of the destination.
RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination, Destination Unreadable, or Parameter Problem.
RFC 2780 or RFC 4443 numeric value of the traffic.
OSI layer 3 (network) protocol of the traffic observed, written in all lower case.
Session identifier. Multiple transactions build a session
Source of the network traffic (the client requesting the connection).
IP address of the source.
TCP flag(s) specified in the event.
Time to live of a packet or diagram.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
Zeek aka Bro