We don't have a sniffer like this

but you can send the result of a sniffer into Cribl. For example: Splunk Stream -> Cribl -> destination

Thanks for clarifying

`tcpdump` in Exec

Some other products that might be interesting and can integrate with Cribl:» https://www.elastic.co/beats/packetbeat|PacketBeat» https://www.elastiflow.com/|ElastiFlow

If you can get the sniffer output into cribl, you could make some aggregations from that stream. Send the aggregations to one of your tools, and save the stream to cheap, quickly rotating storage.Depends on what you're looking for.

What wire data specifically are you interested in? There's not much on the wire anymore that isn't encrypted.

DNS over HTTPS is going to be standard on most browsers in the next year or two which will start to minimize even that dataset which was probably the last bastion of unencrypted wire data

We get a fair amount of value from just raw flows (not that a sniffer is the best way to get those).