Hi,
This might be a silly question but we are facing few issues with packetbeat when using port mirroring.
We have 2 hosts Host1 and Host2 and we are mirroring the traffic between these hosts on to the host3(Packetbeat) dedicated server where packetbeat is installed.
We are using openvswitch port mirroring to mirror traffic on the interfaces of host1 and host2 to host3's interface.
So at host3 eth1 interface below are some sample records from tcpdump
13:52:12.338378 IP Host1ip.http > Host2ip.44719: Flags [S.], seq 1032732660, ack 494539474, win 28040, options [mss 1414,sackOK,TS val 535381399 ecr 114513044,nop,wscale 7], length 0
13:52:12.338801 IP Host2ip.44719 > Host1ip.http: Flags [R.], seq 1, ack 1, win 221, options [nop,nop,TS val 114513044 ecr 535381399], length 0
We have configured packetbeat with http port(80,8080) and device as any on host3.
Still we are not able to see the http traffic being generated in packetbeat logs.
So below are few questions which I would like to know more about
1)As the ip of process listening on port 80 is of host1 and not of host3,are we not seeing the logs ?
- Should ip be the same as the host on which packetbeat is configured for it to capture the http traffic.Also as there is no process which handles traffic for port 80 on host 3 ,is this the right way to do mirroring and use packetbeat ? The mirrored traffic will be dropped ?
3)Should both the records be present i.e request and response for packetbeat to capture the transaction and does it ignore any incomplete request - response flows ? This is more for info.
thanks