Hi, I have a framework for packet analysis that I have built on ELK stack. Mainly, I have been using this for network traces analysis and monitoring. There is one issue that I have been struggling and that may not be related to Elasticsearch but I wanted to give it a try.
I am ingesting EK format packet data into Elasticsearch along with Hex data using the following command
tshark -T ek -x -r packetfile.pcap >> outfile
I want to use this data to re-generate the original packetfile.pcap.
I have exhausted many forums related to wireshark and unix community to work on this pipeline but I am unable to find an efficient solution to do so. Currently, I am saving the Hex data separately for the same ID as generated by
tshark -x -r packetfile.pcap >> hex.txt and ingesting to ES. But the problem with this is, it doesn't save the timestamps along. So I have to save timestamps separate and then insert the timestamps into hex.txt for each header of a packet HEX. I know this is not a good way to achieve this as it takes forever to insert timestamps into hex.txt if there are for example 10000 packets info in hex.txt.
Is there a simpler way to regenerate packet with original timestamps of each frame saved in ES?
Thank you in advance!