Can someone suggest tips for debugging Redis traffic listening?

I'm testing packetbeat on an Azure Cloud Instance VM (Running Windows Server 2012 r2) . I have it configured to output dns, http, memcache, redis, and flow. It outputs to a logstash instance.

So far, when I search in kibana, I'm only able to find types dns, http, and flow. I'm working on determining why I'm not getting redis traffic information.

Can someone suggest a list of things I should look at to determine why it's not working? Right now, I think problems could be related to:

  • What port is indicated in the yml file.
  • What device packetbeat is configured to sniff on

Are there any other potential issues I should be aware of? Regarding devices packetbet sniffs on, is there a particular device I should be sniffing to get redis traffic? Are there things in the packetbeat log I should look out for?

I'd suggest checking with ngrep that there is traffic on the port you expect and that it looks readible. Something like:

ngrep -d eth0 "" "port 6379"

If you see nothing, then the port is wrong or there simply is no traffic.

If it outputs only garbage, the traffic might be encrypted.

If you can see Redis commands flying in, then we'll need to dig deeper in the Packetbeat logs.

Hi tudor,

Could you suggest something I could use on the Windows commandline? I do have npcap installed in winpcap compatibility mode (which is necessary to run packetbeat on windows machines). I imagine there's a way to dump port traffic using npcap?

I think easiest would be to use Wireshark.

Hi Tudor,

I ran redis locally, wrote a short script to write and read from it, and verified it was sending traffic to the port I expected redis traffic to be in. I'm having trouble seeing traffic when I'm running my application though.

That said, in Kibana I've noticed logs of type "flow" that have packetbeatSource.port = 6379. Would that be from the redis traffic? Is there a reason I'd see flow logs, but not redis logs?

Thanks for your help!

Scratch that last comment. As I debug on different machines, I noticed that my device numbers are different. On one machine, the Npcap Loopback Adapter was device 3, and on the other, device 4. The problem I hit when I posted my last comment was I was using the wrong device on the machine I was testing on.

Thanks again for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.