Response Time, Flows and New Transaction Protocol

I've read the post: Finding total latency(round trip time or response time) per flow?

I want to be able for a new transaction protocol, call it elastic which transacts on port: 2019 to be able to calculate response times but also be able to still see flow statistics.

  • Is it possible to have both flow statistics and tranaction protocol metrics?
  • If so, what are the critical config settings in packetbeat.yml to achieve this?

Packetbeat has a finite set of protocols that it understands (see docs). In order to measure response time Packetbeat needs to understand the protocol to know when a request and response are sent.

So if the protocol isn't one of the ones that Packetbeat has a decoder for then you can cannot get response times without implementing a custom decoder and building your own Packetbeat (or contributing the decoder).

You can measure generic flow stats only for traffic on port 2019 by setting a custom filter (docs). Note that is overrides the packet filter for all of Packetbeat so if you enable the DNS protocol, for example, you will need to add port 53 into the filter manually.

packetbeat.interfaces.bpf_filter: "port 2012"
packetbeat.flows.enabled: true

I get it, so if I want to get both flow stats and protocol (say http) response time, I need to do something like this:

packetbeat.interfaces.device: any
packetbeat.interfaces.bpf_filter: "port 2019" 
- type: http
  ports: [2019]
  enabled: true

Is this right?
Is there an easy way to know if I'm missing any other protocols that exist in the flows?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.