Packetbeat not see some trafic

franpom · July 21, 2021, 7:05am

Hello,

I am trying to set up a sniffer with packetbeat. The sniffer receives the traffic via several mirroring of vlan at the level of a switch.
It works very well except for a case identified on a vlan with which I have a problem.
Via a tcpdump on this vlan everything works perfectly, I have all the expected traffic. On the other hand with packetbeat it does not send me all the traffic to elk
For example of the TLS traffic that I see on the tcpdump, I cannot find it on the elk.
With a trace with this command packetbeat -e -c /etc/packetbeat/packetbeat.yml -d "*"
I do not observe anything abnormal.
How to explain this missing traffic on the ELK?
Could you help me solve my problem.

packetbeat.yml :

packetbeat.interfaces.device: enp59s0f1
packetbeat.interfaces.type: af_packet
#packetbeat.interfaces.type: pcap
packetbeat.interfaces.buffer_size_mb: 100
packetbeat.interfaces.auto_promisc_mode: true
#packetbeat.interfaces.with_vlans: true
packetbeat.interfaces.internal_networks:
  - unspecified
packetbeat.flows:
  timeout: 30s
  period: 10s
packetbeat.protocols:
- type: icmp
  enabled: true
- type: cassandra
  ports: [9042]
- type: dhcpv4
  ports: [67, 68]
- type: dns
  ports: [53]
- type: http
  enabled: true
  ports: [80, 8080, 8000, 5000, 8002]
  send_all_headers: true
- type: memcache
  ports: [11211]
- type: mysql
  ports: [3306,3307]
- type: pgsql
  ports: [5432]
- type: redis
  ports: [6379]
- type: mongodb
  ports: [27017]
- type: nfs
  ports: [2049]
- type: tls
  enabled: true
  ports:
    - 443   # HTTPS
    - 993   # IMAPS
    - 995   # POP3S
    - 5223  # XMPP over SSL
    - 8443
    - 8883  # Secure MQTT
    - 9243  # Elasticsearch
    - 9443
  send_certificates: true
  include_raw_certificates: false
  include_detailed_fields: true
  fingerprints: [ md5, sha1, sha256 ]
setup.template.settings:
  index.number_of_shards: 1
name: sniffer
setup.dashboards.enabled: true
setup.kibana:
  host: "192.168.15.118:5601"
output.elasticsearch:
  hosts: ["192.168.15.118:9200"]
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/packetbeat
  name: packetbeat.log
  rotateeverybytes: 10485760
  keepfiles: 7
  permissions: 0644

system · August 18, 2021, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot make packetbeat work Beats	3	1833	July 5, 2017
Packetbeat input from pcap -> all sniffed field on ELK Beats packetbeat	6	2061	October 4, 2018
Packetbeat isn't capture mysql network traffic Beats packetbeat	3	459	April 7, 2023
Packetbeat.yml with_vlans Beats packetbeat	14	3559	July 5, 2017
TCP/UDP configuration question Beats packetbeat	4	3732	July 5, 2017

Packetbeat not see some trafic

Related topics