We are capturing the amqp traffic in packetbeat. Is there a way to fetch the data present in this packetbeat to verify that it is the amqp message itself.
Below is the data getting captured.
{
"_index": "packetbeat-6.6.2-2019.03.27",
"_type": "doc",
"_id": "3CLLvmkBdkK0WkcINOod",
"_version": 1,
"_score": null,
"_source": {
"last_time": "2019-03-27T10:55:39.762Z",
"type": "flow",
"transport": "tcp",
"flow_id": "EQQA////DP//////FP8BAAEQ8xGhXgCEqT4PgNwKdSlFCnX0aJAfmM0",
"start_time": "2019-03-27T10:55:09.521Z",
"@version": "1",
"@timestamp": "2019-03-27T10:56:20.726Z",
"final": true,
"dest": {
"port": 8080,
"stats": {
"net_bytes_total": 8248,
"net_packets_total": 21
},
"ip": "10.117.41.69",
"mac": "10:f3:11:a1:5e:00"
},
"tags": [
"beats_input_raw_event"
],
"source": {
"port": 52632,
"stats": {
"net_bytes_total": 6052,
"net_packets_total": 13
},
"ip": "10.117.244.104",
"mac": "84:a9:3e:0f:80:dc"
},
"host": {
"name": "LP-5CD84712T7",
"os": {
"name": "Windows 10 Enterprise",
"build": "17134.648",
"version": "10.0",
"family": "windows",
"platform": "windows"
},
"architecture": "x86_64",
"id": "06ce0032-be2e-4181-a5f9-551e7e10cc3e"
},
"beat": {
"name": "LP-5CD84712T7",
"version": "6.6.2",
"hostname": "LP-5CD84712T7"
}
},
"fields": {
"start_time": [
"2019-03-27T10:55:09.521Z"
],
"@timestamp": [
"2019-03-27T10:56:20.726Z"
],
"last_time": [
"2019-03-27T10:55:39.762Z"
]
},
"highlight": {
"dest.port": [
"@kibana-highlighted-field@8080@/kibana-highlighted-field@"
],
"source.ip": [
"@kibana-highlighted-field@10.117.244.104@/kibana-highlighted-field@"
],
"transport": [
"@kibana-highlighted-field@tcp@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@flow@/kibana-highlighted-field@"
]
},
"sort": [
1553684180726
]
}
Hi,
What you are pasting is a flow (see packetbeat.flows in packetbeat.yml).
For monitoring AMQP traffic you need to enable the amqp transaction protocol and configure it with the port that AMQP uses in your network.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.