Collecting port scans -- "Ignore empty non-FIN packet"

tipene · October 25, 2016, 2:37pm

How can I collect the opening packet in a port scan (ie, the SYN before the handshake is completed) using Packetbeat?

I'm using pcap with bpf_filter to select all TCP/IP traffic from a variety of ports. Unfortunately this does not capture port scans. The explanation (when I ran packetbeat -d "*" ) is that the non-FIN (ie, SYN packet) is discarded:

decoder.go:179: DBG Ignore empty non-FIN packet

When I dump to a file using the -dump argument I do see the packets listed there, however, they are not submitted to ElasticSearch because they are discarded.

This is the configuration that I'm using:

interfaces:
device: any
type: pcap
snaplen: 1514
buffer_size_mb: 10
bpf_filter: "port 23 or port 2323 or port 6789"

tipene · October 25, 2016, 2:40pm

Example command line:

sudo packetbeat -c packetbeat_raw.yml -d "*" -dump /tmp/tcp-out

Output from tcpdump:

tcpdump -r /tmp/tcp-out -n
...
10:25:17.978102 IP 49.143.22.136.49387 > x.x.x.x.telnet: Flags [S], seq 758585095, win 60867, length 0
10:25:17.995765 IP x.x.x.x.telnet > 49.143.22.136.49387: Flags [R.], seq 0, ack 758585096, win 0, length 0

system · November 15, 2016, 2:37pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
PacketBeat to capture all traffic except few port? Beats packetbeat	4	1335	January 9, 2020
Packetbeat - Bug parsing http method Beats beats-development , packetbeat	1	533	October 25, 2020
Packetbeat7.13.3 default BPF Beats packetbeat	2	415	August 19, 2021
BPF filter is empty Beats packetbeat	1	378	March 27, 2020
Packetbeat is not sniffing the packets from a SPAN port Beats packetbeat	3	1895	July 5, 2017

Collecting port scans -- "Ignore empty non-FIN packet"

Related topics