Support for TCP/UDP Unknown Packets

(Justin Bovee) #1

Hi all...
We are using packetbeat to review pcaps from multiple environments and like how it is setup.
I realize that the primary focus of packetbeat is to review the protocol and streams. Is there plans in the future for monitoring at the TCP or UDP layer for unknown protocols?
We started working on a plugin for monitoring unknown TCP but are finding the current TCP code for example drops retransmits and failures. What would it take to support TCP/UDP monitoring?

Also, is there any documentation on code layout and writing plugins?

(Tudor Golubenco) #2

Hi Justin,

First of all, yes, this is something we want to have. It wasn't in the initial Packetbeat's initial focus but it matches perfect with the Beats idea. We've been working on a dev guide for new protocols (raw and unedited here), but it's focused on adding an application layer protocol. For having support for unknown protocols we'd need to rework the TCP layer.

While we want to do this in the relatively near future, it's not planned yet, so I'm not sure when we'll work on it. So if you want to work on it, you'll for sure have our full support. In any case, it would help us if you could write down what things we'd want captured from the TCP/UDP streams.

(Shendaras) #3


I have something started to pull in simple information available through the layers in gopacket. I have augmented Packet to include things like source and destination MAC address where available, etc. Packets which aren't picked up by a known protocol get published with just that packet information and a hexdump of the payload. I'm open to suggestions for improving that API. There's quite a lot that I think could be pulled down from gopacket's layers that isn't yet available in the events. I'll see about forking the project on github and including my changes so you can see the prelim and hopefully suggest an appropriate direction.

(system) #4