Unmatched responses or requests

Hi all,

I'm using packetbeat to capture http webservices traffic using SOAP , and I'm facing a lot of http requests that are logged as unmatched requests or responses. ( for example, 80k on 470k documents on last 24h had these error, with ~ 70% unmatched response, 15% Packet loss while capturing the request, and 15% unmatched request).

I use packetbeat on ~ 30 different VMs under proxmox, dispatched on around 10 hypervisors and have these uncomplete documents from all VMs.
Some has more error than others, I watched on VMs which have the most important count of erreor, but found nothing relevant on metrics (lot of cpu & memory free, network link not saturated)

I also use packetbeat on kubernetes containers, the behavior is the same on both platforms.

I've already read a lot of topics about it, and changed my conf from pcap to af_packet, but unfortunately this is not better.
I also tried to disable tcp offloading, but I still see unmatched documents.

Below actual config I use :

packetbeat.interfaces.device: eth0
packetbeat.interfaces.type: af_packet
packetbeat.interfaces.buffer_size_mb: 2048
packetbeat.interfaces.auto_promisc_mode: true

  enabled: false
  timeout: 30s
  period: 10s
- type: http
  enabled: true
  ports: [8200,8201,8202,8204,8205,8207,8208]
  include_body_for: ["application/json","text/html","application/soap+xml","text/xml"]
  send_all_headers: true
  real_ip_header: "X-Forwarded-For"
  send_request: false
  send_response: false
  keep_null: true
logging.metrics.enabled: false
packetbeat.procs.enabled: false
packetbeat.ignore_outgoing: false
  - add_fields:
      target: fields
        context: 'prod'
tags: ["packetbeat"]
  enabled: true
  hosts: ["ls1.vrack:5045","ls2.vrack:5045"]

Does anyone has an idea ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.