We are capturing the amqp traffic in packetbeat. Is there a way to fetch the data present in this packetbeat to verify that it is the amqp message itself.
Below is the data getting captured.
{
"_index": "packetbeat-6.6.2-2019.03.27",
"_type": "doc",
"_id": "3CLLvmkBdkK0WkcINOod",
"_version": 1,
"_score": null,
"_source": {
"last_time": "2019-03-27T10:55:39.762Z",
"type": "flow",
"transport": "tcp",
"flow_id": "EQQA////DP//////FP8BAAEQ8xGhXgCEqT4PgNwKdSlFCnX0aJAfmM0",
"start_time": "2019-03-27T10:55:09.521Z",
"@version": "1",
"@timestamp": "2019-03-27T10:56:20.726Z",
"final": true,
"dest": {
"port": 8080,
"stats": {
"net_bytes_total": 8248,
"net_packets_total": 21
},
"ip": "10.117.41.69",
"mac": "10:f3:11:a1:5e:00"
},
"tags": [
"beats_input_raw_event"
],
"source": {
"port": 52632,
"stats": {
"net_bytes_total": 6052,
"net_packets_total": 13
},
"ip": "10.117.244.104",
"mac": "84:a9:3e:0f:80:dc"
},
"host": {
"name": "LP-5CD84712T7",
"os": {
"name": "Windows 10 Enterprise",
"build": "17134.648",
"version": "10.0",
"family": "windows",
"platform": "windows"
},
"architecture": "x86_64",
"id": "06ce0032-be2e-4181-a5f9-551e7e10cc3e"
},
"beat": {
"name": "LP-5CD84712T7",
"version": "6.6.2",
"hostname": "LP-5CD84712T7"
}
},
"fields": {
"start_time": [
"2019-03-27T10:55:09.521Z"
],
"@timestamp": [
"2019-03-27T10:56:20.726Z"
],
"last_time": [
"2019-03-27T10:55:39.762Z"
]
},
"highlight": {
"dest.port": [
"@kibana-highlighted-field@8080@/kibana-highlighted-field@"
],
"source.ip": [
"@kibana-highlighted-field@10.117.244.104@/kibana-highlighted-field@"
],
"transport": [
"@kibana-highlighted-field@tcp@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@flow@/kibana-highlighted-field@"
]
},
"sort": [
1553684180726
]
}
Hi,
What you are pasting is a flow (see packetbeat.flows in packetbeat.yml).
For monitoring AMQP traffic you need to enable the amqp transaction protocol and configure it with the port that AMQP uses in your network.