I'd want to evaluate the use of packetbeat to pickup traffic from a SPAN port.
(i have no idea what my traffic output from the SPAN port is, but i assume somewhere around 10Gbps)
I assume i will compile against the pf_ring (library?) for fastest performance.
I've searched through historic threads and cant find much about Packets-per-Second performance of packetbeat (with any of the options af_ring, pf_ring or pcap).
Could anybody help me outline a test setup for packetbeat
The main thing i'm struggling with is creating an endpoint for packetbeat's output. The obvious thing to use is an Elasticsearch cluster,... but i'd like to know that i'm keeping my elasticsearch indexing performance and packetbeat packets-per-second processing as two separate questions.