ICMP setting ignored?


(Andrej Rosenheinrich) #1

Hi,

I am trying to monitor my http traffic using packetbeat 5.0.0-alpha4 (something I did before with 1.x with good results).
My problem is that I am receiving an increasing number of events, even when no http traffic occurs. Looking at the index many of those documents are of type icmp, what should not happen as I outcommented the icmp type and default is false (at least thats what the docs say). Even setting it to false explicitly doesnt change the behavior. Is there a problem in my configuration or is the setting not evaluated correct?

Following is my configuration, I disabled flows, set icmp to false (I also tried to just outcomment it) and only left http for being watched over. Output is standard elasticsearch.

#################### Packetbeat Configuration Example #########################

#============================== Network device ================================
packetbeat.interfaces.device: any

#================================== Flows =====================================
#packetbeat.flows.timeout: 30s

# Configure reporting period. If set to -1, only killed flows will be reported
#packetbeat.flows.period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols.icmp:
  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
  enabled: false

packetbeat.protocols.amqp:
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
#  ports: [5672]

packetbeat.protocols.dns:
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
#  ports: [53]

  # include_authorities controls whether or not the dns.authorities field
  # (authority resource records) is added to messages.
#  include_authorities: true

  # include_additionals controls whether or not the dns.additionals field
  # (additional resource records) is added to messages.
#  include_additionals: true

packetbeat.protocols.http:
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [8080, 8081, 8082]

packetbeat.protocols.memcache:
  # Configure the ports where to listen for memcache traffic. You can disable
  # the Memcache protocol by commenting out the list of ports.
#  ports: [11211]

packetbeat.protocols.mysql:
  # Configure the ports where to listen for MySQL traffic. You can disable
  # the MySQL protocol by commenting out the list of ports.
#  ports: [3306]

packetbeat.protocols.pgsql:
  # Configure the ports where to listen for Pgsql traffic. You can disable
  # the Pgsql protocol by commenting out the list of ports.
#  ports: [5432]

packetbeat.protocols.redis:
  # Configure the ports where to listen for Redis traffic. You can disable
  # the Redis protocol by commenting out the list of ports.
#  ports: [6379]

packetbeat.protocols.thrift:
  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
  # the Thrift-RPC protocol by commenting out the list of ports.
#  ports: [9090]

packetbeat.protocols.mongodb:
  # Configure the ports where to listen for MongoDB traffic. You can disable
  # the MongoDB protocol by commenting out the list of ports.
#  ports: [27017]

packetbeat.protocols.nfs:
  # Configure the ports where to listen for NFS traffic. You can disable
  # the NFS protocol by commenting out the list of ports.
#  ports: [2049]

#================================ General =====================================

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Template name. By default the template name is packetbeat.
  template.name: "packetbeat"

  # Path to template file
  template.path: "packetbeat.template.json"

  # Overwrite existing template
  template.overwrite: false

#----------------------------- Logstash output --------------------------------

#================================ Logging =====================================

(Steffen Siering) #2

have you tried to fully comment out the icmp section?


(Andrej Rosenheinrich) #3

Yes. Same effect as when I set it on false.


(Steffen Siering) #4

hm, this is funny. Which operating system are you using? Which sniffer type? Checking your config it looks like linux + libpcap. I'd configure af_packet via:

# The type of the sniffer to use
packetbeat.interfaces.type: af_packet

Checking code, this location we're checking ICMP is available in protocols section (the enabled flag as used in sample config does not exist). That is, pure presence of packetbeat.protocols.icmp: enables ICMP support.

Plus, the ICMP protocol analyzers are only initialized if packetbeat.protocols.icmp exists:

Code

If icmp is found in protocols section, icmp is enabled in the BPF filter (otherwise packets will be filtered out by sniffer) by adding icmp or icmp6to the BPF filter.

Can you run packetbeat in foreground with -e -v -d 'sniffer'? This will print a line BPF filter: ... printing the exact BPF filter configured.

When in doubt you can still set your own bpf filter via:

packetbeat.interfaces.bpf_filter: 'tcp port 80 or (vlan and tcp port 80)'

This BPF filter will only capture TCP port 80 packets (default HTTP port) for example. No icmp events can be captured when using this filter.

Did you check you're using the correct config file? E.g. set packetbeat.interfaces.device to some invalid value. If packetbeat is still starting up and processing traffic, packetbeat might not use the config file you're expecting. Try setting the absolute path to your config-file when starting packetbeat.


(system) #5

This topic was automatically closed after 21 days. New replies are no longer allowed.