Packetbeat is not sniffing the packets from a SPAN port

Anantha_Ravi · April 12, 2016, 2:56am

i have configured eth2 as my device in packetbeat . and eth2 is configured a span destination in my test configuration . tcpdump does show flow are recieved by interface , but i don't see same with packetbeat .

i try enabled debug option and see continuous message "sniffer.go:297: DBG Interrupted"

[root@copylinux ~]# packetbeat -e -d "*" -c /etc/packetbeat/packetbeat.yml
2016/04/11 18:22:27.089114 beat.go:135: DBG Initializing output plugins
2016/04/11 18:22:27.089145 geolite.go:24: INFO GeoIP disabled: No paths were set under output.geoip.paths
2016/04/11 18:22:27.089241 client.go:297: DBG ES Ping(url=http://172.23.48.119:9200, timeout=1m30s)
2016/04/11 18:22:27.090365 client.go:306: DBG Ping status code: 200
2016/04/11 18:22:27.090391 outputs.go:126: INFO Activated elasticsearch as output plugin.
2016/04/11 18:22:27.090405 publish.go:232: DBG Create output worker
2016/04/11 18:22:27.090429 publish.go:274: DBG No output is defined to store the topology. The server fields might not be filled.
2016/04/11 18:22:27.090447 publish.go:288: INFO Publisher name: copylinux.insieme.local
2016/04/11 18:22:27.090617 async.go:78: INFO Flush Interval set to: 1s
2016/04/11 18:22:27.090627 async.go:84: INFO Max Bulk Size set to: 50
2016/04/11 18:22:27.090634 async.go:92: DBG create bulk processing worker (interval=1s, bulk size=50)
2016/04/11 18:22:27.090686 beat.go:147: INFO Init Beat: packetbeat; Version: 1.2.1
2016/04/11 18:22:27.091420 packetbeat.go:166: DBG Initializing protocol plugins
2016/04/11 18:22:27.091474 mongodb.go:73: DBG Init a MongoDB protocol parser
2016/04/11 18:22:27.091496 memcache.go:105: DBG init memcache plugin
2016/04/11 18:22:27.091507 memcache.go:158: DBG maxValues = 0
2016/04/11 18:22:27.091513 memcache.go:159: DBG maxBytesPerValue = 2147483647
2016/04/11 18:22:27.091610 icmp.go:69: DBG Local IP addresses: [127.0.0.1 172.23.48.119 ::1 2001:420:28e:2023:c28c:60ff:fe8b:698c fe80::c28c:60ff:fe8b:698c fe80::92e2:baff:fe40:7528 fe80::92e2:baff:fe40:7529]
2016/04/11 18:22:27.091671 tcp.go:251: DBG tcp%!(EXTRA string=Port map: %v, map[uint16]protos.Protocol=map[6379:redis 9090:thrift 8080:http 8000:http 8002:http 5432:pgsql 27017:mongodb 80:http 5000:http 11211:memcache 3306:mysql])
2016/04/11 18:22:27.091684 udp.go:93: DBG Port map: map[11211:memcache]
2016/04/11 18:22:27.091691 packetbeat.go:212: DBG Initializing sniffer
2016/04/11 18:22:27.091721 sniffer.go:251: DBG BPF filter: tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 5000 or tcp port 8002 or tcp port 3306 or tcp port 6379 or tcp port 5432 or tcp port 9090 or tcp port 27017 or port 11211
2016/04/11 18:22:27.091732 sniffer.go:130: DBG Sniffer type: pcap device: eth2
2016/04/11 18:22:27.105039 decoder.go:63: DBG Layer type: Ethernet
2016/04/11 18:22:27.105228 beat.go:173: INFO packetbeat sucessfully setup. Start running.
2016/04/11 18:22:27.105267 packetbeat.go:244: DBG Waiting for the sniffer to finish
2016/04/11 18:22:27.605880 sniffer.go:297: DBG Interrupted
2016/04/11 18:22:28.106516 sniffer.go:297: DBG Interrupted
2016/04/11 18:22:28.607113 sniffer.go:297: DBG Interrupted
2016/04/11 18:22:29.107698 sniffer.go:297: DBG Interrupted
^C2016/04/11 18:22:29.555378 service.go:30: DBG Received sigterm/sigint, stopping
2016/04/11 18:22:29.608289 sniffer.go:297: DBG Interrupted
2016/04/11 18:22:29.608380 sniffer.go:359: INFO Input finish. Processed 0 packets. Have a nice day!
2016/04/11 18:22:29.608423 beat.go:183: INFO Cleaning up packetbeat before shutting down.

[root@copylinux ~]# tcpdump -i eth2
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
11:22:54.253868 IP 11.11.12.10.51113 > 10.10.12.10.http: Flags [S], seq 952226551, win 14600, options [mss 1460,sackOK,TS val 527670639 ecr 0,nop,wscale 6], length 0
11:22:54.254668 IP 10.10.12.10.http > 11.11.12.10.51113: Flags [S.], seq 49056701, ack 952226552, win 14480, options [mss 1380,sackOK,TS val 527269576 ecr 527670639,nop,wscale 6], length 0
11:22:54.254942 IP 11.11.12.10.51113 > 10.10.12.10.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 527670640 ecr 527269576], length 0
11:22:54.255106 IP 11.11.12.10.51113 > 10.10.12.10.http: Flags [P.], seq 1:116, ack 1, win 229, options [nop,nop,TS val 527670641 ecr 527269576], length 115
11:22:54.255502 IP 10.10.12.10.http > 11.11.12.10.51113: Flags [.], ack 116, win 227, options [nop,nop,TS val 527269577 ecr 527670641], length 0
11:22:54.255970 IP 10.10.12.10.http > 11.11.12.10.51113: Flags [P.], seq 1:270, ack 116, win 227, options [nop,nop,TS val 527269578 ecr 527670641], length 269
11:22:54.256098 IP 11.11.12.10.51113 > 10.10.12.10.http: Flags [.], ack 270, win 245, options [nop,nop,TS val

andrewkroh · April 12, 2016, 3:12am

Are the packets from the SPAN port VLAN encapsulated? If so, you need to set the with_vlans option to true. See https://www.elastic.co/guide/en/beats/packetbeat/1.2/configuration-interfaces.html#_with_vlans

interfaces:
  device: eth0
  with_vlans: true

Anantha_Ravi · April 12, 2016, 2:17pm

Excellent ,

packetbeat does see packets now .

i need to figure it out why Kibana not showing up this info