How to see/synchronize pcap file "Time" with kibana visualization?

Elastic Stack Kibana
1

How to see pcap data with respect to pcap time events in kibana?

Here in kibana, "Index contains time-based events" (if I checked the box then unable to load the "Time-field name"),If I unchecked the box only visualising the normal data with any time frame.

I want to see data with checked time at "Index contains time-based events" along with pcap time frame.

Below is my data ,

curl -XGET localhost:9200/test2/pcap2/327?pretty
{
  "_index" : "test2",
  "_type" : "pcap2",
  "_id" : "327",
  "_version" : 1,
  "found" : true,
  "_source" : {
    "Info" : "50038 > http [ACK] Seq=239 Ack=166 Win=64076 Len=0",
    "No." : "327",
    "Protocol" : "TCP",
    "Destination" : "185.158.152.205",
    "Source" : "10.10.31.101",
    "Length" : "60",
    **"Time" : "390.453793"**
  }
}
2

You'll need to convert the pcap time value into a time field that elasticsearch understands. Consider using logstash with the https://github.com/purbon/logstash-input-pcap plugin

3

I had imported into elasticsearch without logstash.So could you please let me know to elasticsearch ? or any otherway? -Thanks for quick response splager

4

You'll have to reindex the data then @Gurram_Vinay, but I'm not sure how to convert the value of the Time field into an actual date, which is why I recommend the pcap input for logstash.

Logstash will help you here if you can go back and use it.

5

well, my intention was to do some static analysis using of packet capture files(a bunch of pcap's). I wanted to do some specific data - analytics or search which is possible by the only elasticsearch, however, it is not possible through logstash. Well, after the analytics -- I want to visualise them through kibana(specifically with the time stamp of pcap). Well thanks for reply -@spalger

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.