hello,
I was encountered a problem that I saw 2 tcp segments which were actually 2parts of one data packet, I used packetbeat to monitor them and I eventually got two packets in packetbeat instead of one reassembled packet.
so my question is does packetbeat automatically reassemble the packets for me ? or do I need to assemble them by myself, and how if you have any suggestions.
thanks so much I really need help on this.
packetbeat reconstructs the TCP stream. It's perfectly valid for TCP to have duplicates or even overlapping segments. The fully reconstructed TCP stream is finally passed to the protocol analyzers. packetbeat flows on the other hand operates on at packet-level and therefore has to count every single packet (would be nice if flows will gain some TCP stats on flags or retransmits).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.