I am trying to set up a sniffer with packetbeat. The sniffer receives the traffic via several mirroring of vlan at the level of a switch.
It works very well except for a case identified on a vlan with which I have a problem.
Via a tcpdump on this vlan everything works perfectly, I have all the expected traffic. On the other hand with packetbeat it does not send me all the traffic to elk
For example of the TLS traffic that I see on the tcpdump, I cannot find it on the elk.
With a trace with this command packetbeat -e -c /etc/packetbeat/packetbeat.yml -d "*"
I do not observe anything abnormal.
How to explain this missing traffic on the ELK?
Could you help me solve my problem.
packetbeat.interfaces.device: enp59s0f1 packetbeat.interfaces.type: af_packet #packetbeat.interfaces.type: pcap packetbeat.interfaces.buffer_size_mb: 100 packetbeat.interfaces.auto_promisc_mode: true #packetbeat.interfaces.with_vlans: true packetbeat.interfaces.internal_networks: - unspecified packetbeat.flows: timeout: 30s period: 10s packetbeat.protocols: - type: icmp enabled: true - type: cassandra ports:  - type: dhcpv4 ports: [67, 68] - type: dns ports:  - type: http enabled: true ports: [80, 8080, 8000, 5000, 8002] send_all_headers: true - type: memcache ports:  - type: mysql ports: [3306,3307] - type: pgsql ports:  - type: redis ports:  - type: mongodb ports:  - type: nfs ports:  - type: tls enabled: true ports: - 443 # HTTPS - 993 # IMAPS - 995 # POP3S - 5223 # XMPP over SSL - 8443 - 8883 # Secure MQTT - 9243 # Elasticsearch - 9443 send_certificates: true include_raw_certificates: false include_detailed_fields: true fingerprints: [ md5, sha1, sha256 ] setup.template.settings: index.number_of_shards: 1 name: sniffer setup.dashboards.enabled: true setup.kibana: host: "192.168.15.118:5601" output.elasticsearch: hosts: ["192.168.15.118:9200"] logging.level: info logging.to_files: true logging.files: path: /var/log/packetbeat name: packetbeat.log rotateeverybytes: 10485760 keepfiles: 7 permissions: 0644