Is it possible to use Cribl to analyse network traffic in a similar way to Splunk Stream App? Can we ingest data off the wire into Cribl?
We don't have a sniffer like this
but you can send the result of a sniffer into Cribl. For example: Splunk Stream -> Cribl -> destination
Thanks for clarifying
`tcpdump` in Exec
Some other products that might be interesting and can integrate with Cribl:
If you can get the sniffer output into cribl, you could make some aggregations from that stream. Send the aggregations to one of your tools, and save the stream to cheap, quickly rotating storage.
Depends on what you're looking for.
What wire data specifically are you interested in? There's not much on the wire anymore that isn't encrypted.
DNS over HTTPS is going to be standard on most browsers in the next year or two which will start to minimize even that dataset which was probably the last bastion of unencrypted wire data
We get a fair amount of value from just raw flows (not that a sniffer is the best way to get those).