*I am working with wireshark pcaps inside of SO kibana and hunt. Seems like the timestamps do not match?

iqworks · July 18, 2023, 12:04am

Hi, I am using windows 11, SO, winlogbeat and logstash
output.logstash:

The Logstash hosts

hosts: ["192.168.1.226:5044"]

I have saved a wireshark session as a pcap. I moved the pcap from my windows 10 machine with winSCP. I ran
So-import-pcap and got the url. I went into kibana and hunt and changed the from and to times to match the from
To date/time in the wireshark pcap. But when I try to match up the timestamps between wireshark and
Kibana or hunt, I see the src ip and the dst ip’s that match, so I am wondering if there is a way to send
Pcaps from winSCP to SO with the same timestamps?
Thanks for any advice or suggestions.

Marius_Dragomir · July 18, 2023, 3:09pm

Packetbeat can also get pcap data, so that will be the most accurate one to use with Kibana.

Rios · July 18, 2023, 3:32pm

I'm not sure am I get you, but will give it try my version.
If you have logs which has been read by an app, for instance beats, a message must have a @timestamp field when it enters LS, otherwise LS will create the @timestamp field with the current time of LS host. FB documentation
Always you can use the date plugin which has default target "@timestamp"

Topic		Replies	Views
Import Windows events stored as syslog in PCAPs Beats	1	251	March 14, 2020
How to see/synchronize pcap file "Time" with kibana visualization? Kibana	5	982	May 24, 2017
How to synchronize tcpdump/pcap file time with kibana? Kibana	3	1394	August 1, 2017
Wrong timestamp suricata module Kibana	4	575	November 1, 2020
Winlogbeat @timestamp Field Problem Beats winlogbeat	2	1925	December 12, 2016

*I am working with wireshark pcaps inside of SO kibana and hunt. Seems like the timestamps do not match?

The Logstash hosts

Related topics