Supported File Types
Teleseer supports the ingest of network collection files and bro/zeek logs.
Overview
Teleseer processes network collection files containing 802.3 or 802.11 (beta mode) headers. These files can be one-off collections or can exist within a compressed archive.
In addition to network collection files, Teleseer processes bro/zeek logs.
Network Collection Files
The following network collection file types are supported:
| Extension |
|---|
| .cap |
| .dmp |
| .pcap |
| .pcapng |
| Google Stenographer (https://github.com/google/stenographer) |
Cooked pcaps
"cooked" network collection files are not currently supported
Bro/Zeek
The following bro/zeek log files can be imported into Teleseer:
| conn.log | IP, TCP, UDP, ICMP connection details |
| dhcp.log | DHCP lease activity |
| dns.log | DNS query/response details |
| ftp.log | FTP request/reply details |
| http.log | HTTP request/reply details |
| ntp.log | NTP request/reply details |
| sip.log | SIP analysis |
| smtp.log | SMTP transactions |
| ssh.log | SSH handshakes |
| ssl.log | SSL handshakes |
| tunnel.log | Details of encapsulating tunnels |
It is recommended to use a supported compressed archive file such that all .log files can be ingested at once.
Assets created from log files without layer 2 content will appear within the External Hosts tab.
To create logs with layer 2 content, use the following zeek flag:
policy/protocols/conn/mac-logging
# Example
$ zeek -C -r maccdc_demo.pcap policy/protocols/conn/mac-logging
For more information on additional support and policies for zeek, see the Zeek Script Index
Supported formats
Teleseer currently provides support for the TSV format.
JSON format is not currently supported.
Compressed Archives
The following compressed archives are supported:
| Extension | Description |
|---|---|
| .bz2 | BZIP2 compressed archive |
| .gz | GNU zip compressed archive |
| .tar | Unix Tape Archive File compressed archive |
| .xz | LZMA compressed archive |
| .zip | Lossless data compression archive |
Updated 4 months ago