Packetbeat.yml with_vlans

Elastic Stack Beats
1

Hello there,

How do I enable the option to packetbeat with_vlans.

Can you help?

2

Hi, the with_vlans option was added after our last release. We're working right now on releasing beta3, should come out in the next couple of days.

3

thanks for the reply
with_vlans: true will use my right in this way. beta3 released after

4

Beta3 is now available: https://www.elastic.co/downloads/beats/packetbeat

5

Thank you for the reply

How to enable with_vlans ?

[root@packtbeat ~]$packetbeat -version
packetbeat version 1.0.0-beta3

6

You need to add the option to the interfaces section, something like this:

interfaces:
  device: eth0
  with_vlans=true
1 Like
7

not running :frowning:

8

Oops, sorry, I meant with_vlans: true, i.e. : instead of =.

9

I can see the traffic with tcpdump, but the results could not Kibana screen


kibana.png1762×762 57.7 KB

10

What protocols do you want to monitor? In the screenshot I see some ICMP (which we Packetbeat doesn't support) and some DNS requests?

11

protocols:dns,http,mysql,mongodb,psql

12

Can you help?

13

Please try to run Packetbeat in foreground like this:

 packetbeat -e -d "sniffer,publish"

And check from the output if packetbeat seems to be receiving packets and if it sends it to Elasticsearch.

14

hi,

eth3; fibre channel port

my packetbeat.yml:

#Sniffer
interfaces:
device: eth3
with_vlans: true

output:

[root@ntop ~]$ packetbeat -e -d "sniffer,publish"
geolite.go:61: INFO Loaded GeoIP data from: /usr/share/GeoIP/GeoIP.dat
output.go:80: INFO [ElasticsearchOutput] Using Elasticsearch [http://10.10.11.232:9200]
output.go:81: INFO [ElasticsearchOutput] Using index pattern [packetbeat-]YYYY.MM.DD
output.go:82: INFO [ElasticsearchOutput] Topology expires after 15s
output.go:84: INFO [ElasticsearchOutput] Insert events in batches. Flush interval is 1s. Bulk size is 10000.
publish.go:250: INFO Using elasticsearch to store the topology
publish.go:285: INFO Topology map refreshed every 10s
publish.go:211: DBG Add topology entry for ntop: [10.10.11.232 fe80::21c:c4ff:fedd:d9e0 fe80::200:c9ff:fecd:78dc]
sniffer.go:234: DBG BPF filter: tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 5000 or tcp port 8002 or tcp port 3306 or tcp port 6379 or tcp port 5432 or tcp port 9090 or tcp port 27017 or udp port 53 or port 11211 or (vlan and (tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 5000 or tcp port 8002 or tcp port 3306 or tcp port 6379 or tcp port 5432 or tcp port 9090 or tcp port 27017 or udp port 53 or port 11211))
sniffer.go:119: DBG Sniffer type: pcap device: eth3
sniffer.go:280: DBG Interrupted
sniffer.go:337: DBG Packet number: 1

"
"
"

sniffer.go:337: DBG Packet number: 194
sniffer.go:280: DBG Interrupted
sniffer.go:280: DBG Interrupted
sniffer.go:280: DBG Interrupted
sniffer.go:337: DBG Packet number: 195
sniffer.go:337: DBG Packet number: 196
sniffer.go:337: DBG Packet number: 197
sniffer.go:337: DBG Packet number: 198
sniffer.go:337: DBG Packet number: 199
sniffer.go:337: DBG Packet number: 200
sniffer.go:337: DBG Packet number: 201
sniffer.go:337: DBG Packet number: 202
sniffer.go:337: DBG Packet number: 203
sniffer.go:337: DBG Packet number: 204
sniffer.go:337: DBG Packet number: 205
sniffer.go:337: DBG Packet number: 206
sniffer.go:337: DBG Packet number: 207
publish.go:211: DBG Add topology entry for ntop: [10.10.11.232 fe80::21c:c4ff:fedd:d9e0 fe80::200:c9ff:fecd:78dc]
sniffer.go:280: DBG Interrupted
sniffer.go:280: DBG Interrupted
^Csniffer.go:280: DBG Interrupted
sniffer.go:342: INFO Input finish. Processed 207 packets. Have a nice day!
[root@ntop ~]$