Analyzing network packets with Wireshark, Elasticsearch, and Kibana

Elastic Stack Kibana
1

Hello,
I tried this document. I got some mistakes.
Firtstly, I tried mapping in document.

Screenshot_1
Screenshot_1546×591 8.08 KB

Then I got this error;

  {
            "error" : {
            "root_cause" : [
            {
        "type" : "mapper_parsing_exception",
        "reason" : "Root mapping definition has unsupported parameters: [pcap_file : {dynamic=false, properties={layers={properties={udp={properties={udp_udp_srcport={type=integer}, udp_udp_dstport={type=integer}}}, ip={properties={ip_ip_src={type=ip}, ip_ip_dst={type=ip}}}, frame={properties={frame_frame_len={type=long}, frame_frame_protocols={type=keyword}}}}}, timestamp={type=date}}}]"
        }
        ],
        "type" : "mapper_parsing_exception",
        "reason" : "Failed to parse mapping [_doc]: Root mapping definition has unsupported parameters: [pcap_file : {dynamic=false, properties={layers={properties={udp={properties={udp_udp_srcport={type=integer}, udp_udp_dstport={type=integer}}}, ip={properties={ip_ip_src={type=ip}, ip_ip_dst={type=ip}}}, frame={properties={frame_frame_len={type=long}, frame_frame_protocols={type=keyword}}}}}, timestamp={type=date}}}]",
        "caused_by" : {
        "type" : "mapper_parsing_exception",
        "reason" : "Root mapping definition has unsupported parameters: [pcap_file : {dynamic=false, properties={layers={properties={udp={properties={udp_udp_srcport={type=integer}, udp_udp_dstport={type=integer}}}, ip={properties={ip_ip_src={type=ip}, ip_ip_dst={type=ip}}}, frame={properties={frame_frame_len={type=long}, frame_frame_protocols={type=keyword}}}}}, timestamp={type=date}}}]"
        }
        },
        "status" : 400
        }

After I tried curl part

Screenshot_2
Screenshot_2988×114 13.6 KB

I solved these errors like this;

Screenshot_3
Screenshot_3933×92 5.38 KB

This caused other problems. How can I solve?

2

Hey @elify, welcome to the discussion boards!

The blog post you're following is ~2.5 years old, and the example does not work on more modern versions of Elasticsearch. The mapping includes a custom type, and support for this was deprecated in 7.0.

Try this instead:

PUT _template/packets
{
  "index_patterns": "packets-*",
  "mappings": {
      "dynamic": "false",
      "properties": {
        "timestamp": {
          "type": "date"
        },
        "layers": {
          "properties": {
            "frame": {
              "properties": {
                "frame_frame_len": {
                  "type": "long"
                },
                "frame_frame_protocols": {
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "properties": {
                "ip_ip_src": {
                  "type": "ip"
                },
                "ip_ip_dst": {
                  "type": "ip"
                }
              }
            },
            "udp": {
              "properties": {
                "udp_udp_srcport": {
                  "type": "integer"
                },
                "udp_udp_dstport": {
                  "type": "integer"
                }
              }
            }
          }
        }
      }
    }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.