How packetbeat determine source and destination in TCP flow?


I'm investigating network flows. And Packetbeat collect network traffic including forwarding.

I found some flow's destination is port 80 for http.
Otherwise, some flows source port is port 80.

I'm very sure the port 80 must be destination.
At this point, how does Packetbeat determine source and destination?

How can we solve this issue?

Thank you in advance,

It uses the first packet it sees as source. So if it has missed some packets from the beginning of the connection then it can get the source/destination wrong.


Then, I worried about one Packetbeat daemon monitor many network interfaces.
( A packetbeat daemon monitors 5 network interface now.)

Is there recommendations to set up packetbeat?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.