WARNING: Version 1.3 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Interfaces
editInterfaces
editThe interfaces
section configures the sniffer. Here is an example configuration:
# Select the network interfaces to sniff the data. You can use the "any" # keyword to sniff on all connected interfaces. interfaces: # On which device to sniff device: any # The maximum capture size of a single packet. snaplen: 1514 # The type of the sniffer to use type: af_packet # The size of the sniffing buffer buffer_size_mb: 100
Sniffing Options
editYou can specify the following options in the interfaces
section:
device
editThe network device to capture traffic from. The specified device is set automatically to promiscuous mode, meaning that Packetbeat can capture traffic from other hosts on the same LAN.
Example:
interfaces: device: eth0
On Linux, you can specify any
for the device, and Packetbeat captures all
messages sent or received by the server where Packetbeat is installed.
When you specify any
for the device, the interfaces are not set
to promiscuous mode.
The device
option also accepts specifying the device by its index in the list of
devices available for sniffing. To obtain the list of available devices,
run Packetbeat with the following command:
packetbeat -devices
This command returns a list that looks something like the following:
0: en0 (No description available) 1: awdl0 (No description available) 2: bridge0 (No description available) 3: fw0 (No description available) 4: en1 (No description available) 5: en2 (No description available) 6: p2p0 (No description available) 7: en4 (No description available) 8: lo0 (No description available)
The following example sets up sniffing on the first interface in the list:
interfaces: device: 0
Specifying the index is especially useful on Windows where device names can be long.
snaplen
editThe maximum size of the packets to capture. The default is 65535, which is large enough for almost all networks and interface types. If you sniff on a physical network interface, the optimal setting is the MTU size. On virtual interfaces, however, it’s safer to accept the default value.
Example:
interfaces: device: eth0 snaplen: 1514
type
editPacketbeat supports three sniffer types:
-
pcap
, which uses the libpcap library and works on most platforms, but it’s not the fastest option. -
af_packet
, which uses memory-mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific. -
pf_ring
, which makes use of an ntop.org project. This setting provides the best sniffing speed, but it requires a kernel module, and it’s Linux-specific.
The default sniffer type is pcap
.
Here is an example configuration that specifies
the af_packet
sniffing type:
interfaces: device: eth0 type: af_packet
On Linux, if you are trying to optimize the CPU usage of Packetbeat,
we recommend trying the af_packet
and pf_ring
options. Read Setting Traffic Capturing Options
for more details.
If you use the af_packet
sniffer, you can tune its behaviour by specifying the
following options:
buffer_size_mb
editThe maximum size of the shared memory buffer to use
between the kernel and user space. A bigger buffer usually results in lower CPU
usage, but consumes more memory. This setting is only available for the
af_packet
sniffer type. The default is 30 MB.
Example:
interfaces: device: eth0 type: af_packet buffer_size_mb: 100
with_vlans
editPacketbeat automatically generates a
BPF for capturing only
the traffic on ports where it expects to find known protocols.
For example, if you have configured port 80 for HTTP and port 3306 for MySQL,
Packetbeat generates the following BPF filter: "port 80 or port 3306"
.
However, if the traffic contains VLAN
tags, the filter that Packetbeat generates is ineffective because the
offset is moved by four bytes. To fix this, you can enable the with_vlans
option, which
generates a BPF filter that looks like this: "port 80 or port 3306 or (vlan and (port 80 or port 3306))"
.
bpf_filter
editPacketbeat automatically generates a
BPF for capturing only
the traffic on ports where it expects to find known protocols.
For example, if you have configured port 80 for HTTP and port 3306 for MySQL,
Packetbeat generates the following BPF filter: "port 80 or port 3306"
.
You can use the bpf_filter
setting to overwrite the generated BPF filter. For example:
interfaces: device: eth0 bpf_filter: "net 192.168.238.0/0 and port 80 and port 3306"
This setting disables automatic generation of the BPF filter. If
you use this setting, it’s your responsibility to keep the BPF filters in sync with the
ports defined in the protocols
section.