I want to make a table or a graph that shows top hosts / IPs uploading a large amount of data transfer to the outside domains.
Probably I want a table/metric that shows:
Out_Bytes
Source IP addresses (of internal hosts initiating outbound data transfer)
Destination IP addresses (of external hosts over WAN in outside domains)
Is this possible?
I looked up various sample visualizations that came with Packetbeat and couple of them seem close to what I'm trying to do but the numbers of the transfer amount didn't make sense to me.
Hey @learner are you using the packet beat data to try to build this visualization, if not would you mind providing the relevant fields from your index pattern that contain this information?
Yeah, I was trying to do it with Packetbeat wtih no success but am open to use whatever other package that suits what I'm trying to do.
With one of Packetbeat's sample dashboards, I was trying to use:
[Packetbeat] Flows
In that dashboard, the metric at the very bottom is:
Network traffic between your hosts
That's what I was trying to use but the numbers shown in the "Source traffic" and "Destination traffic" fields don't seem to accurately reflect my perception on our actual network traffic.
That is, some traffic numbers between an internal host and an external host are way too big, exceeding our WAN link bandwidth (1Gbps), making me think that it's not possible and thus the numbers are not accurate.
Maybe I'm having some misunderstanding on the Bytes unit or so.... I don't know and am trying to figure it out at the same time while asking here to find a new or better way that would generate numbers that make sense.
Hey @learned, these charts are showing the total flow of bytes that were sent/received over a specific duration. So, if you're viewing the [Packetbeat] Flows dashboard for the past "15 Minutes" (as configured via the time filter in the upper right corner), you'll see the total bytes that were sent during that duration. The 15 GB of traffic over 15 minutes that you're seeing is well under 1 Gbps.
Since I posted my messages, I've wiped out everything, all the Elastic Stack packages, PacketBeat, and the data directory, and reinstalled Elastic Stack 6.1 and started everything fresh.
Kibana still shows non-sense numbers, like before.
That is, Kibana's PacketBeat network traffic numbers in bytes that far exceed our maximum WAN throughput (1Gbps) to the outside world.
Actually, from another thread, as below, where I had posted and got responses, applying the "final: true" filter is making the data numbers show correctly now for me.
I had tried it at that time and thought that it was showing wrong numbers in a different way, for which I think I did something wrong back then.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
