How to capture Flow/TCP Payload


#1

I have a question regarding flow/TCP payload

case 1:
I found in ExtraHop, that there’s a TCP Conversation between many nodes unencrypted using port tcp:1500
buat when i try to build a trigger for it to know what’s being sent, the payload resulting “null”

case 2:
I found in ExtraHop, that there’s a TCP connection between 2 nodes, where the source port and the destination ports are all random, but the bytes sent is small and very rare, and when graphed, it’s look like a spike, i want to know, the payload being sent
i’ve built trigger for this also, the performance of the trigger looks like it get a hit,
but in runtime log, there’s no result for what i’m parsing.

any suggestion or example for the trigger for flow or tcp?
should i use flow event? which one to get the flow payload, flow tick,turn or?
should i use tcp event? which one to get tcp payload? tcp_payload event? or?

I’m using TCP_Payload as an event in trigger configuration, CMIIW
cause i think i miss match the event with the trigger coding.
but the trigger didn’t show any error or invalid event/invalid method

Thanks
Marcos

& sorry if i sounded like a dumb person, since i’m a beginner in coding JSON and using ExtraHop API’s