Dears,
I’m currently troubleshooting an issue with my Logstash cluster and would appreciate some guidance.
I’m consistently seeing the following warning in the Logstash logs:
org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 71
To investigate this, I captured the network traffic using tcpdump on the Beats input port and attempted to analyze it in Wireshark. However, I’m unable to properly interpret the packets — they appear in binary format and I couldn’t successfully decode them as HTTP or any other readable protocol.
I also tried manually setting the protocol decoding in Wireshark to HTTP for the relevant port, but it didn’t help since Beats uses its own binary framing protocol, and the data remains unreadable.
Has anyone encountered a similar issue or have recommendations on how to effectively analyze Beats protocol traffic in Wireshark or identify the source of invalid frames?
Any suggestions or packet dissector recommendations would be greatly appreciated.
Thanks in advance!