Packetbeat not always populating "server" common field

Is there a reason that packetbeat would not always collect the server field?

I'm collecting tls packets and only sending events that have the tls.handshake_completed field.

packetbeat.protocols:
- type: tls
  send_certificates: false
  include_raw_certificates: false
  ports: [443]

packetbeat.ignore_outgoing: true

processors:
- drop_event:
    when:
      not:
        has_fields: ['tls.handshake_completed']

I tried comparing the events which did have the server field to the ones that did not, and I wasn't seeing any noticeable patterns.

Thanks.

server gets populated with the tls.client_hello.extensions.server_name_indication value. So if the client doesn't specify a SNI then server won't be populated.

1 Like

Thank you for the quick response. That makes sense.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.