streamfwd command line options
The streamfwd
binary that comes with Splunk_TA_stream includes command line options that let you read packets from pcap
files, send pcap
file data to Splunk indexers, find Windows and Linux network interfaces, and perform several configuration tasks.
streamfwd
command line options override the streamfwd.conf
configuration file, which by default captures data from all network devices. streamfwd
command line options also override any specific capture locations specified by the streamfwdcapture
parameter in streamfwd.conf
.
Note: You do not need root privileges to run streamfwd
commands.
Location of streamfwd.conf
streamfwd
looks for streamfwd.conf
in these locations:
- Current working directory
$CWD/etc/local
$CWD/config
(for legacy purposes)/etc/streamfwd/local
$STREAMFWD_PATH/etc/local
$STREAMFWD_PATH/../../etc/local
(this location is typically used for aSplunk_TA_stream
deployment).
Note: On Windows, the app reports service errors (such as configuration file not found
) to the Windows Event log.
List network interfaces
Use this option to view all network interfaces on Windows or Linux machines:
--iflist
For example, on a Windows machine:
C:\Splunk_Home\etc\apps\Splunk_TA_stream\windows_x86_64\bin>streamfwd.exe --iflist <Sniffer> <Interface> <Name>\Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}</Name> <Alias>Local Area Connection</Alias> <Description>Intel(R) PRO/1000 MT Network Connection</Description> </Interface> </Sniffer>
Read pcap files
Use this option to read the contents of a pcap
file:
-r <PCAP_FILE>
For example:
./streamfwd -r my.pcap
You can use the -r
option multiple times to specify multiple pcap
files to read in parallel. The -r
option is implied if one of your arguments is a valid pcap
file name. The following is functionally equivalent to the above example:
./streamfwd my.pcap
If you provide a pcap
file without an -s
option, streamfwd
assumes "-s localhost:8889". Both of these examples send the data that the pcap
file contains to the streamfwd
modular input running on the same server.
Note: Splunk App for Stream does not support the Wireshark pcapng
format. To use these files with Stream, you must convert pcapng
to pcap
format.
Set bitrate
Use this option to set a bitrate for how fast each pcap
file is read:
-b <BITS_PER_SECOND>
By default, the bitrate is 10 Mbps if --repeat (see below) is enabled, otherwise it is unlimited (as fast as possible).
Use system time
This option causes streamfwd
to use the system clock time for each packet read, instead of using the timestamps within pcap files.
--systime
Repeat pcap files
Use this option to cause streamfwd to continuously repeat pcap
files until it is terminated:
--repeat
For example, to continuously repeat two pcap
files at the rate of 1 Mbps each (2 Mbps total):
./streamfwd -r my.pcap -r your.pcap -b 1048576 --repeat
Get streamfwd version
Use this option to get the current streamfwd
version:
--version
./streamfwd --version streamfwd version 6.0.0 build 450
Modular input scheme
Use this option to print the modular input scheme:
--scheme
./streamfwd --scheme <scheme><title>Wire data</title><description>Passively capture wire data from network traffic.</description><use_external_validation>true</use_external_validation><use_single_instance>true</use_single_instance><streaming_mode>xml</streaming_mode><endpoint><args><arg name="splunk_stream_app_location"><title>Splunk App for Stream Location</title><description>URI including full path to splunk_app_stream installation (i.e. http://localhost:8000/dj/en-us/splunk_app_stream)</description><validation>validate(match('splunk_stream_app_location', '^https?://.+'), 'Location must start with http:// or https://')</validation></arg></args></endpoint></scheme>
Validate modular input arguments
Use this option to validate modular input arguments passed via STDIN:
--validate-arguments
Manage SSL keys
Use this option to view existing SSL keys:
--sslkeylist
Use this option to add new SSL keys:
--addsslkey
Use this option to delete existing SSL keys:
--deletesslkey
Note: --sslkeylist
and --addsslkey
options create local/keystore.db
if it does not already exist.
Use SSL keys for decryption | Splunk App for Stream REST API |
This documentation applies to the following versions of Splunk Stream™: 6.5.0, 6.5.1
Feedback submitted, thanks!