Hi,
I was trying to use Packetbeat to monitor network traffic of a FTP server. in a specific way, I was trying to log all the attempted connections on local port 21 and 22.
Just to start I've enabled http protocol on port 21-22 with this code:
packetbeat.protocols.http:
ports: [21, 22]
but I'm getting event from a lot of local ports.
Packetbeat does not support the FTP protocol. See https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html for a list of supported protocols.
perfectly correct, I knew that but the if I try to connect via ftp or sftp to a file transfer server I will generate TCP traffic that theoretically Packetbeat can sniff.
Do you think could be an idea to think up a support to FTP protocol?
It's possible, it may not be difficult given the FTP protocol is pretty static (in regards to changes) too 
I guess you suggest to start from NewProtocolGuide
right?
If you don't need application layer details about the traffic you could try using flows.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.