New Packetbeat Protocol - accessing lower layer Info

dhughes · October 29, 2018, 4:13pm

We've created our own UDP protocol in Packetbeat.

We're successfully accessed the payload past UDP using the Payload field within the Packet struct. We see the tuple information as well for IP.

What we're wondering however is how can we access other lower layer information from IP (TTL), or Ethernet (VLAN ID, MAC addresses), etc. Is that possible? If not, is there at least a way to get the entire packet payload (not just past UDP), so that we could parse this ourselves?

Thanks in advance,

David H.

adrisr · October 29, 2018, 6:39pm

Hi,

Unfortunately, full packet information is not available to protocol processors. As making this information available requires a significant refactor to Packetbeat. Feel free to create an Enhancement request, or experiment with propagating this information yourself, from the Decoder in decoder.go to the UDP protocol processor.

Topic		Replies	Views
Support for TCP/UDP Unknown Packets Beats packetbeat	3	2281	July 5, 2017
Is raw data gathering possible with packetbeat? Beats packetbeat	3	614	April 12, 2018
How to implement TCP/UDP protocol in Packetbeats Beats packetbeat	9	4065	July 7, 2016
Does it support the collection of UDP traffic on the specified port number? Beats packetbeat	5	524	May 29, 2021
TCP/UDP configuration question Beats packetbeat	4	3808	July 5, 2017

New Packetbeat Protocol - accessing lower layer Info

Related topics