Packetbeat not always populating "server" common field

Micah_Hunsberger · July 24, 2018, 4:39pm

Is there a reason that packetbeat would not always collect the server field?

I'm collecting tls packets and only sending events that have the tls.handshake_completed field.

packetbeat.protocols:
- type: tls
  send_certificates: false
  include_raw_certificates: false
  ports: [443]

packetbeat.ignore_outgoing: true

processors:
- drop_event:
    when:
      not:
        has_fields: ['tls.handshake_completed']

I tried comparing the events which did have the server field to the ones that did not, and I wasn't seeing any noticeable patterns.

Thanks.

andrewkroh · July 24, 2018, 5:00pm

server gets populated with the tls.client_hello.extensions.server_name_indication value. So if the client doesn't specify a SNI then server won't be populated.

Micah_Hunsberger · July 24, 2018, 5:16pm

Thank you for the quick response. That makes sense.

system · August 21, 2018, 5:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Packetbeat Missing fields in tls protocol Beats packetbeat	4	463	November 16, 2021
Missing some fields in some document Beats beats-module , packetbeat	3	345	September 27, 2023
'ignore_outgoing' doesn't work for me Beats packetbeat	4	2040	July 5, 2017
Client_server and server fields in packetbeat showing empty Beats packetbeat	3	1059	July 5, 2017
Packetbeat TLS [Client\|Server] hello Ciphers on one string Beats packetbeat	1	399	March 10, 2023

Packetbeat not always populating "server" common field

Related topics