Packetbeat not see some trafic


I am trying to set up a sniffer with packetbeat. The sniffer receives the traffic via several mirroring of vlan at the level of a switch.
It works very well except for a case identified on a vlan with which I have a problem.
Via a tcpdump on this vlan everything works perfectly, I have all the expected traffic. On the other hand with packetbeat it does not send me all the traffic to elk
For example of the TLS traffic that I see on the tcpdump, I cannot find it on the elk.
With a trace with this command packetbeat -e -c /etc/packetbeat/packetbeat.yml -d "*"
I do not observe anything abnormal.
How to explain this missing traffic on the ELK?
Could you help me solve my problem.

packetbeat.yml :

packetbeat.interfaces.device: enp59s0f1
packetbeat.interfaces.type: af_packet
#packetbeat.interfaces.type: pcap
packetbeat.interfaces.buffer_size_mb: 100
packetbeat.interfaces.auto_promisc_mode: true
#packetbeat.interfaces.with_vlans: true
  - unspecified
  timeout: 30s
  period: 10s
- type: icmp
  enabled: true
- type: cassandra
  ports: [9042]
- type: dhcpv4
  ports: [67, 68]
- type: dns
  ports: [53]
- type: http
  enabled: true
  ports: [80, 8080, 8000, 5000, 8002]
  send_all_headers: true
- type: memcache
  ports: [11211]
- type: mysql
  ports: [3306,3307]
- type: pgsql
  ports: [5432]
- type: redis
  ports: [6379]
- type: mongodb
  ports: [27017]
- type: nfs
  ports: [2049]
- type: tls
  enabled: true
    - 443   # HTTPS
    - 993   # IMAPS
    - 995   # POP3S
    - 5223  # XMPP over SSL
    - 8443
    - 8883  # Secure MQTT
    - 9243  # Elasticsearch
    - 9443
  send_certificates: true
  include_raw_certificates: false
  include_detailed_fields: true
  fingerprints: [ md5, sha1, sha256 ]
  index.number_of_shards: 1
name: sniffer
setup.dashboards.enabled: true
  host: ""
  hosts: [""]
logging.level: info
logging.to_files: true
  path: /var/log/packetbeat
  name: packetbeat.log
  rotateeverybytes: 10485760
  keepfiles: 7
  permissions: 0644

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.