Why everytime I run packetbeat and I open kibana to see the indexed pcap data the number of hits of the same pcap file keep changing?

Niveah_Tefillah · April 6, 2017, 8:10pm

andrewkroh · April 6, 2017, 10:42pm

Are you using -waitstop <seconds> to give Packetbeat time to finish sending the events before exiting?

  -waitstop int
    	Additional seconds to wait before shutting down

Niveah_Tefillah · April 7, 2017, 12:12am

Yes, even when I try it with waitstop I still obtain varying number of hits on kibana for the same pcap file with 2k odd packets. However, I did read in a different post which said "While you can use Packetbeat to read the packets from a pcap file, its implementation assumes that the packets are read in real time, which can cause some issues with timeout transactions (the time is measured from the current time, not from the initial packet's time". And I want to believe this is the reason for my issue but I cannot tell for real.

steffens · April 7, 2017, 4:48pm

This discussion pretty much explains whats going on: Why packetbeat generates result of "libbeat.publisher.published_events" changing every time

The last 2 posts do contain some follow-up github tickets improving on the pcap-reading use-case.

system · April 27, 2017, 8:10pm

This topic was automatically closed after 21 days. New replies are no longer allowed.