Packetbeat interfere with defender for identity on Windows Server 2012-2022

We are using Packetbeat for capturing DNS traffic from our Windows servers (10 servers) and are having an issue with packetbeat interfering with the defender sensor. We are getting the following error message from Defender for identity (see below).

We are listening on the NPCAP loopback address that gets created during installation and we are seeing the traffic in kibana. However if we restart packetbeat and defender for identity both fails to start and crashes.

We really need the DNS traffic from our servers and packetbeat is one of the reasons we want to buy the elastic stack enterprise license.


Is it possible to capture Windows DNS traffic on another way?

Thank you.

1 Like

Any input from the team?


Somebody at elastic team that can help us out?


I'm running Packetbeat and MDI sensors at the same time on the same host without issues.
PacketBeat is used to capture DNS and TLS trafic on our side.
However Packetbeat is configured to monitor the PROD ethernet adaptor, not a virtual loopback address you mentionned.

I've tested with both embedded NPCAP librairies : the one delivered by MS with MDI sensor (tagged as 1.0.0-OEM) and the latest available on the official Website (the Free Edition) - and it's working with any version.
It's recommended to run the one you have from MDI Sensor (the v 1.0.0 OEM) for both products.

As Well you need to check if you reinstalled the NPCAP lib after MDI did it - and the options you selected during the installation.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.