Does not capture ICMP traffic

korsdecaying · March 26, 2017, 9:59am

DNS traffic is displayed in Kiban, and ICMP is not present

 # /etc/packetbeat/packetbeat.yml
    packetbeat.interfaces.device: 1

packetbeat.protocols.dns:
  ports: [53]
  include_authorities: true
  include_additionals: true
  
  packetbeat.protocols.icmp:
  
output.elasticsearch:
  hosts: ["localhost:9200"]

rcowart · March 26, 2017, 6:44pm

You need to enable ICMP by adding enabled: true to the ICMP config section like this...

packetbeat.protocols.icmp:
  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
  enabled: true

Rob

korsdecaying · March 26, 2017, 7:20pm

Thank you. I tried. I restarted the elastic packetbeat. Does not preserve

ruflin · March 27, 2017, 6:58pm

It looks like the idendation is off in your config for icmp.

korsdecaying · March 29, 2017, 9:59am

Tell me please where you can turn it on?

andrewkroh · March 29, 2017, 4:35pm

The config to enable ICMP is exactly what Rob gave above. If you continue to have problems please provide your complete config file.

korsdecaying · March 29, 2017, 5:56pm

I apologize. Here is the complete file

# /etc/packetbeat/packetbeat.yml
packetbeat.interfaces.device: 1
    packetbeat.protocols.dns:
      ports: [53]
      include_authorities: true
      include_additionals: true
      
      packetbeat.protocols.icmp:
      enabled: true
      
    output.elasticsearch:
      hosts: ["localhost:9200"]

andrewkroh · March 29, 2017, 6:21pm

The configuration file is YAML and indentation is critical to proper interpretation of the data. Try it like this:

packetbeat.interfaces.device: 1

packetbeat.protocols.dns:
  ports: [53]
  include_authorities: true
  include_additionals: true
      
packetbeat.protocols.icmp:
  enabled: true
      
output.elasticsearch:
  hosts: ["localhost:9200"]

rcowart · March 29, 2017, 6:35pm

@andrewkroh was a little faster than me. For what it is worth I tested the results with improper indentation as @korsdecaying posted and confirmed that it will cause ICMP to not work as expected.

More about YAML indentation rules here...
http://yaml.org/spec/1.2/2009-07-21/spec.html#id2576668

As you work with Elastic Stack you will likely use YAML in a lot of places. This include configuration files, but also things like Logstash dictionary files use by the translate filter. It is definitely worth familiarizing yourself with the YAML basics.

Rob

steffens · March 30, 2017, 8:24am

beats add some features on top of YAML. See Beats Config file format docs.

system · April 27, 2017, 8:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.