Packetbeat have problems with sniffer.go:297: DBG Interrupted

daguero · March 10, 2016, 4:35pm

I tried to use Packetbeat for network monitoring and have problems. I followed the recommended configuration on the official site, but when you run:

ok@ok-VirtualBox1:~/Desktop/packetbeat$ packetbeat -e -c packetbeat.yml -d "*"

The result shown in console is:

........
2016/03/10 15:44:26.637344 packetbeat.go:244: DBG Waiting for the sniffer to finish
2016/03/10 15:44:27.138116 sniffer.go:297: DBG Interrupted
2016/03/10 15:44:27.638974 sniffer.go:297: DBG Interrupted
2016/03/10 15:44:28.139709 sniffer.go:297: DBG Interrupted
2016/03/10 15:44:28.640423 sniffer.go:297: DBG Interrupted

Please any idea how to resolve????
thanks

ruflin · March 11, 2016, 10:51am

Can you share your config file?
Which OS are you running on?
What network interfaces do you have enabled?

daguero · March 11, 2016, 1:30pm

Hello ruflin:
This is my config file:

################### Sniffer ###########################

interfaces:
device: any

############################# Protocols #######################################
protocols:
dns:
ports: [53]
include_authorities: true
include_additionals: true
http:
ports: [80, 8080, 8000, 5000, 8002]
memcache:
ports: [11211]
mysql:
ports: [3306]

pgsql:
ports: [5432]

redis:
ports: [6379]

thrift:
ports: [9090]

mongodb:
ports: [27017]

################# Output ########################

output:

Logstash as output

logstash:
# The Logstash hosts
hosts: ["172.23.10.14:5044"]
index: packetbeat

################## Shipper #######################

shipper:
name: "daj3"

############################# Logging #########################################

logging:
files:
rotateeverybytes: 10485760 # = 10MB

My SO is Ubuntu 15.04, I am using containers docker...

Greetings and thank you very much in advance

andrewkroh · March 11, 2016, 9:38pm

Those are not errors. That's just normal debug output.

Once you have Packetbeat started, try running a nslookup google.com to generate some traffic.

Make sure you are running packetbeat as root so that it can capture in promiscuous mode. And if none of that works, instead of using the any interface call out a specific interface like eth0.

daguero · March 14, 2016, 2:01pm

Thank Andrew, but the real problem I had was I'm running pacetbeat within a docker container and can not see traffic. I imagine it has to do with how I share the resources between the container and the local pc.

Best regards

andrewkroh · March 17, 2016, 9:25pm

If you are running Packetbeat inside a container then I would think you would need to start that container with docker run --net=host and then configure device: docker0. The --net=host part makes it possible to sniff the traffic from other containers.