Is raw data gathering possible with packetbeat?

tancfire · March 14, 2018, 3:33pm

Hello,

Packetbeat is very useful to sniff and send data to logstash, so i started to use it. But now, i have a problem:

I want to get the raw data (in heaxdecimal, like in wireshark) when packetbeat cannot recognize the packet's protocol.

Is it possible with packetbeat ? Must i use an other software (like wireshark) ?

Here my current configuration file (packetbeat.yml):

packetbeat.interfaces.device: any

packetbeat.flows:
  timeout: 30s
  period: 10s

packetbeat.protocols.dns:
  ports: [53]
  include_authorities: true
  include_additionals: true

packetbeat.protocols.http:
  ports: [80, 443, 8080, 8081]
  send_response: true
  include_body_for: ["text/html"]
  
packetbeat.protocols.icmp:
  send_response: true
  send_request: true
  enabled: true

output.logstash:
  hosts: ['localhost:5000']

adrisr · March 15, 2018, 2:04pm

Packetbeat doesn't support dumping of raw packets.

What do you mean by packetbeat not recognizing the packet's protocol?

When you have a protocol bound to a port (i.e. http to port 80 in your config) but a packet arrives in that port that it cannot recognize?
When packets arrive on different ports to which a parser has not been assigned?

In both cases it is not supported right now, you can create an Enhancement Request in the beats repository.

tancfire · March 15, 2018, 2:32pm

I meant the first case.

Thanks you.

system · April 12, 2018, 2:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.