I'm noticing that a lot of data coming in from Packetbeat (if not all) is in reverse as far as traffic direction. For example we have a web server nat through a Fortigate firewall for port 443. Packetbeat is reporting the source ip and port is the internal server IP and port 443 and the destination is a public IP and a random port number. This actually should be reverse as it is the public IP communicating to our server on port 443.
Our current config is pretty much default except for the elasticsearch output and the packetbeat.interfaces.device parameter which is set to the correct nic when running ".\packetbeat.exe devices"
How can I correct this issue?