68 lines
2.9 KiB
Text
68 lines
2.9 KiB
Text
[[faq]]
|
|
== Frequently asked questions
|
|
|
|
This section contains frequently asked questions about Packetbeat. Also check out the
|
|
https://discuss.elastic.co/c/beats/packetbeat[Packetbeat discussion forum].
|
|
|
|
[float]
|
|
[[dashboard-fields-incorrect]]
|
|
=== Dashboard in Kibana is breaking up data fields incorrectly?
|
|
|
|
The index template might not be loaded correctly. See <<packetbeat-template>>.
|
|
|
|
[float]
|
|
[[packetbeat-mirror-ports]]
|
|
=== Packetbeat doesn't see any packets when using mirror ports?
|
|
|
|
The interface needs to be set to promiscuous mode. Run the following command:
|
|
|
|
["source","sh",subs="attributes,callouts"]
|
|
----------------------------------------------------------------------
|
|
ip link set <device_name> promisc on
|
|
----------------------------------------------------------------------
|
|
|
|
For example: `ip link set enp5s0f1 promisc on`
|
|
|
|
[float]
|
|
[[packetbeat-loopback-interface]]
|
|
=== Packetbeat can't capture traffic from Windows loopback interface?
|
|
|
|
Packetbeat is unable to capture traffic from the loopback device (127.0.0.1 traffic)
|
|
because the Windows TCP/IP stack does not implement a network loopback interface,
|
|
making it difficult for Windows packet capture drivers like WinPcap to sniff traffic.
|
|
|
|
As a workaround, you can try installing
|
|
https://github.com/nmap/npcap/releases[Npcap], an update of WinPcap. Make sure
|
|
you install Npcap in WinPcap API-compatible mode (`/winpcap_mode=yes`), or
|
|
{beatname_uc} will be unable to find the required DLLs. After installing Npcap,
|
|
restart Windows. Npcap creates an Npcap Loopback Adapter that you can select if
|
|
you want to capture loopback traffic.
|
|
|
|
For the list of devices shown here, you would configure Packetbeat
|
|
to use device `4`:
|
|
|
|
["source","sh"]
|
|
----------------------------------------------------------------------
|
|
PS C:\Users\vagrant\Desktop\packetbeat-1.2.0-windows> .\packetbeat.exe -devices
|
|
0: \Device\NPF_NdisWanBh (NdisWan Adapter)
|
|
1: \Device\NPF_NdisWanIp (NdisWan Adapter)
|
|
2: \Device\NPF_NdisWanIpv6 (NdisWan Adapter)
|
|
3: \Device\NPF_{DD72B02C-4E48-4924-8D0F-F80EA2755534} (Intel(R) PRO/1000 MT Desktop Adapter)
|
|
4: \Device\NPF_{77DFFCAF-1335-4B0D-AFD4-5A4685674FAA} (MS NDIS 6.0 LoopBack Driver)
|
|
----------------------------------------------------------------------
|
|
|
|
[float]
|
|
[[packetbeat-missing-transactions]]
|
|
=== Packetbeat is missing long running transactions?
|
|
|
|
Packetbeat has an internal timeout that it uses to time out transactions and TCP connections
|
|
when no packets have been seen for a long time.
|
|
|
|
To process long running transactions, you can specify a larger value for the <<transaction-timeout-option,`transaction_timeout`>>
|
|
option. However, keep in mind that very large timeout values can increase memory usage if messages are lost or transaction
|
|
response messages are not sent.
|
|
|
|
include::./faq-mysql-ssl.asciidoc[]
|
|
include::../../libbeat/docs/faq-limit-bandwidth.asciidoc[]
|
|
include::../../libbeat/docs/shared-faq.asciidoc[]
|
|
include::../../libbeat/docs/faq-refresh-index.asciidoc[]
|