Can packetbeat set the number of packets to be captured as tcpdump does?


#1

Showing help of packetbeat, I find no options for setting the number of packets to be captured as tcpdump dose, is there a possibility to support this feature?

Thanks in advance!

% ./packetbeat --version
packetbeat version 5.3.4 (amd64), libbeat 5.3.4
%
% ./packetbeat --help

Usage of ./packetbeat:
  -E value
    	Configuration overwrite (default null)
  -I string
    	Read packet data from specified file
  -N	Disable actual publishing for testing
  -O	Read packets one at a time (press Enter)
  -c value
    	Configuration file, relative to path.config (default packetbeat.yml)
  -configtest
    	Test configuration and exit.
  -cpuprofile string
    	Write cpu profile to file
  -d string
    	Enable certain debug selectors
  -devices
    	Print the list of devices and exit
  -dump string
    	Write all captured packets to this libpcap file
  -e	Log to stderr and disable syslog/file output
  -httpprof string
    	Start pprof http server
  -l int
    	Loop file. 0 - loop forever (default 1)
  -memprofile string
    	Write memory profile to this file
  -path.config value
    	Configuration path
  -path.data value
    	Data path
  -path.home value
    	Home path
  -path.logs value
    	Logs path
  -setup
    	Load the sample Kibana dashboards
  -strict.perms
    	Strict permission checking on config files (default true)
  -t	Read packets as fast as possible, without sleeping
  -v	Log at INFO level
  -version
    	Print the version and exit
  -waitstop int
    	Additional seconds to wait before shutting down
$tcpdump --help
tcpdump version 4.9.0
libpcap version 1.7.4
OpenSSL 1.0.2g  1 Mar 2016
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

(Steffen Siering) #2

No, there is no setting to limit the number of packets processed. packetbeat is not tcpdump + sending to Elasticsearch. It is actively parsing and analysing ongoing transactions on the application layer.


#3

thank you very much, i will work this around in another way.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.