Packetbeat support for tcp6


(Tomasz) #1

I cannot get proc details for tcp6 port, not sure if Packetbeat is able to grab it.

I want to monitor http 8181 port, for java process (currently pid 8985).

netstat --all --program | grep 8985:
tcp 0 0 :5005 : LISTEN 8985/java
....
tcp6 0 0 [::]:8181 [::]:
LISTEN 8985/java

I've setup packetbeat.yml with this config:

packetbeat.protocols.http:
  ports: [5005, 8181]
packetbeat.procs:
  enabled: true
  monitored:
   - process: java
     cmdline_grep: java

And I'm intercepting requests, however they doesnt have 'proc' field filled:

{ ... "ip":"127.0.0.1","method":"GET","path":"/api/endpoint-test","port":8181,"proc":"" }

I've enabled debug and I can see that packetbeat found port 5005 (tcp)

2017-06-01T13:04:57+02:00 DBG UpdateMappingEntry(): port=5005 pid=%!d(string=java)

But it doesn't know about 8181 which is tcp6.
I've check source code and it looks suspicious for me:

ipv6socks, err := socketsFromProc("/proc/net/tcp6", true)

...

func socketsFromProc(filename string, ipv6 bool) ([]*socketInfo, error) {
file, err := os.Open("/proc/net/tcp")
if err != nil {
return nil, err
}
defer file.Close()
return parseProcNetTCP(file, false)
}

If i'm not mistaken filename variable is not used and /proc/net/tcp6 is not scanned.

Am I doing sth wrong or is there a bug in code?

(Im using version 5.4.x)


(Steffen Siering) #2

Ouch. Looks like a bug. Have you tried to fix this and open a PR?


(Tomasz) #3

Already did, waiting for merge and release.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.