Hello,
I have the same issue like Docker overlay networks
I'm using AWS mirroring to send traffic from one Network Interface to another EC2 instance where I have installed ES. AWS is using VXLAN and sends the traffic on UDP 4789 port. Tcpdump is decoding the packets correctly, but packetbeat is only showing the VXLAN traffic:
10:54:57.937812 06:1d:f1:cb:ae:16 > 06:68:cb:f8:8f:56, ethertype IPv4 (0x0800), length 363: 10.0.62.55.65455 > 10.4.61.197.4789: VXLAN, flags [I] (0x08), vni 13686788
06:bf:dc:16:87:aa > 06:4b:8e:2d:e6:76, ethertype IPv4 (0x0800), length 313: 45.156.96.12.6363 > 208.76.18.31.46422: UDP, length 271
10:54:57.946287 06:1d:f1:cb:ae:16 > 06:68:cb:f8:8f:56, ethertype IPv4 (0x0800), length 147: 10.0.62.55.65414 > 10.4.61.197.4789: VXLAN, flags [I] (0x08), vni 13686788
06:4b:8e:2d:e6:76 > 06:bf:dc:16:87:aa, ethertype IPv4 (0x0800), length 97: 208.76.18.31.56451 > 45.156.96.12.6363: UDP, length 55
I have bolded the traffic that I see in ES index, but I wanted to see the content (second line).
Please advise how to overcome this? This feature request looks closed: Support packet recognition within VxLAN · Issue #1283 · elastic/beats · GitHub
Best Regards,
Mihai Radulescu