packetbeat7.13.3 default BPF Doesn't seem to work.
Officially, my understanding is that when I set up a protocol for monitoring, packetbeat will create a default BPF, Contains only ports for this protocol.but however, according to the feedback data, there are still flows data of other ports.
The following is the official documentation for BPF,My understanding is that as long as I configure the protocol port, a BPF containing all ports will be configured by default, regardless of whether I have Flow enabled or not .
But through my search for other topics, with -d "sniffer", When FLOW is closed, the default BPF exists, but when FLOW is turned on, the default BPF is null .
Who can help me explain, it is my understanding has error?
“Packetbeat automatically generates a BPF for capturing only the traffic on ports where it expects to find known protocols. For example, if you have configured port 80 for HTTP and port 3306 for MySQL, Packetbeat generates the following BPF filter: "port 80 or port 3306".”
config:
./packetbeat export config
output:
console:
pretty: true
packetbeat:
flows:
enabled: true
period: 10s
timeout: 30s
interfaces:
device: any
internal_networks:
- private
with_vlans: true
protocols:
- ports:
- 8082
type: http
path:
config: /packetbeat
data: /packetbeat/data
home: /packetbeat
logs: /packetbeat/logs
processors:
- else:
- add_host_metadata: null
if:
contains:
tags: forwarded
then:
- drop_fields:
fields:
- host
- add_cloud_metadata: null
- add_docker_metadata: null
- detect_mime_type:
field: http.request.body.content
target: http.request.mime_type
- detect_mime_type:
field: http.response.body.content
target: http.response.mime_type
setup:
kibana: null
template:
settings:
index:
number_of_shards: 1
console Printed message
{
"@timestamp": "2021-07-19T02:29:00.000Z",
"@metadata": {
"beat": "packetbeat",
"type": "_doc",
"version": "7.13.3"
},
"destination": {
"ip": "127.0.0.1",
"port": 14003,
"bytes": 68,
"packets": 1
},
"event": {
"type": [
"connection"
],
"start": "2021-07-19T02:28:42.737Z",
"end": "2021-07-19T02:28:42.738Z",
"duration": 25372,
"dataset": "flow",
"kind": "event",
"category": [
"network_traffic",
"network"
],
"action": "network_flow"
},
"agent": {
"ephemeral_id": "85a0222a-280f-45b0-bcfd-2be66dd6464a",
"id": "3b76ae74-db03-47a6-b661-896e7a57c98e",
"name": "localhost.localdomain",
"type": "packetbeat",
"version": "7.13.3",
"hostname": "localhost.localdomain"
},
"ecs": {
"version": "1.9.0"
},
"host": {
"hostname": "localhost.localdomain",
"name": "localhost.localdomain",
"architecture": "x86_64",
"os": {
"codename": "Ootpa",
"type": "linux",
"platform": "rhel",
"version": "8.0 (Ootpa)",
"family": "redhat",
"name": "Red Hat Enterprise Linux",
"kernel": "4.18.0-80.el8.x86_64"
},
"id": "25cd3e42d88e4d53ad3b0a43045a4e08",
"containerized": false,
"ip": [
"192.168.6.77",
"fe80::7c9f:c65c:ceb5:ca3a",
"192.168.21.177",
"fe80::4241:95bf:ae7b:cb56",
"192.168.122.1"
],
"mac": [
"00:50:56:ad:62:e2",
"00:50:56:ad:21:d3",
"52:54:00:11:fb:fc",
"52:54:00:11:fb:fc"
]
},
"type": "flow",
"network": {
"type": "ipv4",
"transport": "tcp",
"community_id": "1:YHM0DI+3vHzd1oIBr7mE7R9KCWo=",
"bytes": 406,
"packets": 2
},
"source": {
"port": 41306,
"packets": 1,
"bytes": 338,
"ip": "127.0.0.1"
},
"flow": {
"id": "EAT/////AP//////CP8AAAF/AAABfwAAAVqhszY",
"final": false
}
}
There are obviously other port data in the message
Did I configure or understand it wrong
furthermore:
packetbeat.interfaces.with_vlans: false I've tried