Monitor uncommon ports

Hi, I'm trying to configure packet beat on a linux server that is trying to remotely access the Microsoft's Windows Management Instrumentation (wmi). How can I configure the packetbeat.protocols section to monitor ports 135 and 139?


Packetbeat supports decoding a specific set of protocols. They are listed here. Unless WMI is operating over HTTP or TLS then Packetbeat won't be able to tell you much about the application layer.

But Packetbeat can still tell you general information about the flows. You can see an example of this in the documentation for flows. By default it will monitor all traffic. You may be interested in monitoring a subset of the traffic and you can do this by setting up a custom BPF filter.

packetbeat.interfaces.device: eth0
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.buffer_size_mb: 100
packetbeat.interfaces.snaplen: 1514
packetbeat.interfaces.bpf_filter: "port 135 or port 139"

  enabled: true
  timeout: 30s
  period:  1m

output.elasticsearch.hosts: ['http://localhost:9200']
1 Like

I was able to setup packetbeat to trace the network flow with the config you provided.

Thanks for the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.