Packetbeat on MIPS


(Testsuo) #1

Hi,

I'm trying to get Packetbeat up and running on a MIPS device (and open-wrt router).

Just wondering if anyone had managed to cross compile to mips before? It would seem that go does crosscompile to MIPs as does libpcap

Any ideas/directions would be most appreciated


(Andrew Kroh) #2

I haven't done it for MIPS. But it should be possible if you have a MIPS cross-compiler. We cross-compile our releases of Packetbeat. We have a docker container with the cross-compilers installed, cross-compiled dependencies, and then we run go build with the appropriate environment variables set.

All of this code is in the beats repo under dev-tools/packer. Whether or not you adapt our container to do you build, you will probably find the commands we run useful. See https://github.com/elastic/beats/blob/master/dev-tools/packer/docker/xgo-image/base/build.sh


(Testsuo) #3

Thanks - will take a look. Currently having a few issues getting a cross compile stack running properly.

Having packetbeat able to run on openwrt router would seem extremely useful to me (and I'm guessing others) - I'll come back if I manage it


(Steffen Siering) #4

While I agree it would be cool to have packetbeat run on MIPS platform, one has to consider analysing packets can be quite expensive. An alternative solution might include the router forwarding packets to some external machine doing the processing.
Also MIPS support in current go compiler is not yet well optimized.


(Testsuo) #5

With packetbeat would it be analysing the packets themselves?

I thought it not just sniff the various flows and forward (up to a certain flow size) - then do the analysis on the remote ELK host.

I can already tcpdump on an Edgerouter Lite quite happily - https://help.ubnt.com/hc/en-us/articles/204962304-EdgeMAX-Capture-packets-on-the-router


(Steffen Siering) #6

packetbeat 5.0 can summaries flows and collect transactions by parsing the application layer directly. No raw packets are forwarded to Elasticsearch. The analysis is not done somewhere remote, but by packetbeat itself. A "passive" setup normally requires port-forwarding or a network TAP to collect packets and offload analysis.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.