Using Packetbeat and named pipes on Linux

Hi all,

I have some old linux servers on my network that's will not run packetbeat, and I want do capture the trafic and put on a elasticsearch instance. One of the ways I've been found to remote capture is by using tcpdump on a named pipe, like above:

ssh myuser@myserver "sudo -S /usr/sbin/tcpdump -s 0 -n -w - -U -i eth0 port 14010 2>/dev/n
ull" > /tmp/capture1.fifo

How to read this fifo and send the data with packetbeat? I need to extract the http traffic, with http.response.body and http.request.body, and my configuration on packetbeat.yml is quite simple to do the job:

  • type: http

    Configure the ports where to listen for HTTP traffic. You can disable

    the HTTP protocol by commenting out the list of ports.

    ports: [80, 8080, 7010, 7020, 7030, 7040, 8010, 8020, 8030, 8040]
    send_request: true
    send_response: true
    include_body_for: ["text/html", "text/xml"]

Can someone help how to do this?

Thanks in advance!

You could try reading from the pipe with flags like packetbeat -e -t -I /tmp/capture1.fifo. But I think this will clobber your timestamps if it works at all. We use this for testing Packetbeat by reading data in from a file.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.