Packetbeat on windows


I am using windows 10 os,
I have configured Elasicsearch, kibana and packebeat as per standard
I have installed pcapng too

In powershell after execute the .\packetbeat.exe -devices command

0: \Device\NPF_{5BC8D54F-F098-49C3-8D2D-969E839DFA8E} (Intel(R) Ethernet Connection I219-V) (fe80::79b6:7ad7:e5c6:9de9
1: \Device\NPF_{11FF37BF-069C-481D-8EEE-1E1FB9BD69F6} (Microsoft) (fe80::dfa:60ab:c73d:87c7 2408:210:28ec:b800:9cfb:b3
bd:bf27:b3f8 2408:210:28ec:b800:dfa:60ab:c73d:87c7
2: \Device\NPF_{AA15BD21-3348-460A-8081-023207EABD27} (MS NDIS 6.0 LoopBack Driver) (fe80::f180:c469:a35a:4b9e

like devices are displaying

so I set
packetbeat.interfaces.device: 2 in packbeat.yml file

I want to receive packet from PostgreSQL or MySQL so I set
timeout: 10s
period: 10s

ports: [80, 8080, 8000, 5000, 8002, 8099]

ports: [3306]

ports: [5432]

hosts: [""]

after start packetbeat, wireshark also stared
I did operations on PostgreSQL/MySQL, I couldn't get any packets in elasticsearch, the same I can able to catch packets in wireshark

Is there anything I have missed

Thanks & Regards,

did you check packetbeat logs?

Can you find flows in ES/Kibana?

Yes, I have checked the log it seams packebeat is running and able to capture others ports packets

2017-05-19T10:34:11+09:00 INFO Resolved device index 2 to device: \Device\NPF_{AA15BD21-3348-460A-8081-023207EABD27}
2017-05-19T10:34:11+09:00 DBG Sniffer type: pcap device: \Device\NPF_{AA15BD21-3348-460A-8081-023207EABD27}
2017-05-19T10:34:11+09:00 DBG new flows worker. timeout=10s, period=10s, tick=10s, ticksTO=1, ticksP=1
2017-05-19T10:34:11+09:00 DBG Local IP addresses: [fe80::79b6:7ad7:e5c6:9de9 fe80::f180:c469:a35a:4b9e fe80::fdca:b6a4:4ef5:7e66 2408:210:28ec:b800:dfa:60ab:c73d:87c7 2408:210:28ec:b800:9cfb:b3bd:bf27:b3f8 fe80::dfa:60ab:c73d:87c7 ::1 2001:0:4137:9e76:1874:25:c5fe:1fcb fe80::1874:25:c5fe:1fcb fe80::5efe:c0a8:264]
2017-05-19T10:34:11+09:00 DBG tcp%!(EXTRA string=Port map: %v, map[uint16]protos.Protocol=map[8000:http 3306:mysql 5432:pgsql 80:http 8080:http 5000:http 8002:http 8099:http 11211:memcache])
2017-05-19T10:34:11+09:00 DBG Port map: map[11211:memcache]
2017-05-19T10:34:11+09:00 DBG register flow counter: net_packets_total
2017-05-19T10:34:11+09:00 DBG register flow counter: net_bytes_total
2017-05-19T10:34:11+09:00 DBG Layer type: Ethernet
2017-05-19T10:34:11+09:00 INFO packetbeat start running.

2017-05-19T10:34:30+09:00 DBG Publish: {
"@timestamp": "2017-05-19T01:34:30.001Z",
"beat": {
"hostname": "DESKTOP-TI70K7V",
"name": "DESKTOP-TI70K7V",
"version": "5.4.0"
"dest": {
"ip": "",
"mac": "01:00:5e:7f:ff:fa",
"port": 1900
"final": true,
"flow_id": "EQIA////DP////8U//8BAAEBAF5///oCAExPT1Dv///6qf5LnmwHwtQ",
"last_time": "2017-05-19T01:34:12.390Z",
"source": {
"ip": "",
"mac": "02:00:4c:4f:4f:50",
"port": 54466,
"stats": {
"net_bytes_total": 1276,
"net_packets_total": 4
"start_time": "2017-05-19T01:34:12.390Z",
"transport": "udp",
"type": "flow"

Where are PostgreSQL and MySQL running? How are you performing operations? Since you are listening on the loopback device, are you sure the commands are communicating to the loopback interface and are unencrypted?

MySQL and PostgreSQL are running in same pc only where the packetbeat, elasticsearch and kibana are configured, Everything is in local(same pc), I tested with Insert/Retriew records(Insert command and Select query) and not encrypted one

Is it possible, PostgreSQL/MySQL using named pipes instead of a network socket?

I want to execute in local system only

have you checked you client is connection to MySql/PostgreSQL via named pipes or network socket?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.