Packetbeat for Windows does not capture TCP port data.?

talk2cshah · March 21, 2016, 9:14am

Dear Team,

Basis the link below

Packetbeat does not capture packets on TCP port on Windows.

and current issue I am facing on my local instance is that packet beat does not capture TCP port Windows7 64bit

packets e.g. mysql running on port 3306.

Has anyone succefully installed and captured TCP packets on windows?

Kindly guide.

Regards, Chirag Shah

steffens · March 21, 2016, 11:31am

You just trying to sniff mysql? Is mysql client using TCP connection or names pipe (default)?

talk2cshah · March 21, 2016, 11:32am

Tcp connection!

talk2cshah · March 21, 2016, 4:51pm

Guys, has anyone configured packetbeat to listen tcp ports on Windows? or is it a known issue?

Regards, Chirag Shah

andrewkroh · March 21, 2016, 11:14pm

WinPcap cannot capture from the loopback device (127.0.0.1 traffic). See my comment here for details on the work around.

White_Tong · November 15, 2016, 9:12am

Hey andrewkroh.
I tried npcap v0.10-r18 on Windows 7 but the Packetbeat does not capture traffic from the loopback interface.
However, Wrieshar can capture mysql data from Npcap Loopback Adapter such as the icon below.

The following snippet shows my configuration.

############################# Sniffer #########################################

interfaces:
device: 1
buffer_size_mb: 100

############################# Protocols #######################################
protocols:
dns:
ports: [53]

include_authorities: true
include_additionals: true

# send_request:  true
# send_response: true

http:

ports: [80, 8080, 8000, 5000, 8002]

memcache:

ports: [11211]

mysql:

ports: [3306]

pgsql:

ports: [5432]

redis:

ports: [6379]

thrift:

ports: [9090]

mongodb:
ports: [27017]

############################# Processes #######################################

procs:
enabled: true
monitored:
- process: mysqld
cmdline_grep: mysqld

- process: app
  cmdline_grep: gunicorn

###############################################################################
############################# Libbeat Config ##################################

Base config file used by all other beats for using libbeat features

############################# Output ##########################################

Configure what outputs to use when sending the data collected by the beat.

Multiple outputs may be used.

output:

logstash:
hosts: ["localhost:5044"]

############################# Shipper #########################################

shipper:
name: "172.16.7.163"

############################# Logging #########################################

logging:
files:
rotateeverybytes: 10485760 # = 10MB # Number of rotated log files to keep. Oldest files will be deleted first.

The following icon shows the MySQL.

  packetbeat -e -d "publish" -N
  select * from XXX;

Packetbeat does not capture traffic.

andrewkroh · November 15, 2016, 3:22pm

Shouldn't the device be called "Npcap Loopback Adapter"? It looks like that is what your Wireshark is reading from based on the Window title. Did you re-run -devices after installing the driver? Maybe the machine needs a reboot after installing the driver.

White_Tong · November 16, 2016, 2:38am

Thanks for your support. I'm sure the machine has been restarted after installing the driver. Unfortunately, the wrieshark can capture the traffic from Npcap Loopback adapter but packetbeat can't. I tried it again, but the result likes before.

I change configuration to “devices:2”，and packetbeat can only capture data type "dns" or "http". But my goal is to get the performance of mysql.
Please guide me about that, thanks!

andrewkroh · November 16, 2016, 2:56am

Did you install Npcap with "WinPcap Compatible Mode"? Did you uninstall winpcap?

The fact that the interface is called "MS LoopBack Driver" seems to indicate that Packetbeat is not using Npcap.

White_Tong · November 16, 2016, 8:00am

Thank you very much, I have reinstalled Npcap with "WinPcap Compatible Mode". Now, the packetbeat works well.
Althought the traffics of mysql can be captured, HTTP&DNS are lost.
Do you know how to capture all of them? Thanks!

steffens · November 16, 2016, 9:22am

Is traffic send on different interfaces? Like HTTP/DNS being accessed from the outside and mysql from the inside, in such a way traffic can only be captured by different interfaces (Sorry, I'm no windows expert). In this case, right now, you have to run 2 packetbeat instances. Also watch this enhancement request.

White_Tong · November 16, 2016, 11:22am

Yeah, you are right.
Thanks for your support!