Netflows not showing protocol types in Dashboards

Newbie here.. I am curious as to why my netflows are only giving the traffic but not the protocol type in the dashboards. Also are you really able to inspect packets from a cloud implementation?

Can you give me a bit more details about the configuration you are running?

#============================== Network device ================================
packetbeat.interfaces.device: any

#================================== Flows ===========================

timeout: 30s

period: 10s

** Under Transaction protocols I left everything as default.
**Using packetbeat 7.0.1

Packetbeat's flow monitor doesn't go much deeper than the transport layer so it will identify tcp/udp/icmp but it won't go into identifying the traffic as HTTP, for example. There are separate events that contain protocol analysis for the supported protocols.

What do you mean by "cloud implementation"? What are you trying to monitor? Packetbeat captures data via libpcap or af_packet so it can observe the traffic that's on a host's network interface.

In addition to observing traffic on an instance's network interface, can it observe traffic on the actual subnet ..( Honestly I think your previous answer suffices) . You answered my question, basically packetbeat isn't a substitute for a deep packet analysis as it won't go beyond the transport layer.

Yes, it will report all traffic that it sees on the interfaces that it is monitoring. So when the interface is is put into promiscuous mode it can capture traffic from the subnet (but generally hosts on a network only see traffic destined for that host unless you do something special like port mirroring).

For the protocols that Packetbeat understands it will do "deep inspection". Like for HTTP, DNS, or TLS it will give very detailed information.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.