Command Line Options

edit

The following command line options are available for Packetbeat. To use these options, you need to start Packetbeat in the foreground.

Run ./packetbeat -h to see the full list of options from the command line.

Packet-Beat Specific Options

edit

These command line options are specific to Packetbeat:

-I <file>
Pass a pcap file as input to Packetbeat instead of reading packets from the network. This option is useful only for testing Packetbeat. Example: -I ~/pcaps/network_traffic.pcap.
-O
Read packets one by one by pressing Enter after each. This option is useful only for testing Packetbeat.
-devices
Print the list of devices that are available for sniffing.
-dump <file>
Write all captured packets to a file. This option is useful for troubleshooting Packetbeat.
-l <n>
Read the pcap file n number of times. Use this option in combination with the -I option. For an infinite loop, use 0. The -l option is useful only for testing Packetbeat.
-t
Read the packets from the pcap file as fast as possible without sleeping. Use this option in combination with the -I option. The -t option is useful only for testing Packetbeat.
-waitstop <n>
Wait an additional n seconds before exiting.

Other Options

edit

These command line options from libbeat are also available for Packetbeat:

-E <setting>=<value>

Overwrite an individual setting in the config file. For example:

sudo ./packetbeat -c packetbeat.yml -E name=mybeat
-N
Disable the publishing of events to the defined output. This option is useful only for testing the Beat.
-c <file>
Pass the location of a configuration file for the Beat.
-configtest
Test the configuration file and then exit. This option is useful for troubleshooting the configuration of a Beat.
-cpuprofile <output file>
Write CPU profile data to the specified file. This option is useful for troubleshooting the Beat.
-d <selectors>
Enable debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use -d "*" to enable debugging for all components. For example, -d "publish" displays all the "publish" related messages.
-e
Log to stderr and disable syslog/file output.
-httpprof [<host>]:<port>
Start http server for profiling. This option is useful for troubleshooting and profiling the Beat.
-memprofile <output file>
Write memory profile data to the specified output file. This option is useful for troubleshooting the Beat.
-path.config
Set the default location for configuration (e.g. the Elasticsearch template). See the Directory Layout section for details.
-path.data
Set the default location for data files. See the Directory Layout section for details.
-path.home
Set the default location for miscellaneous files. See the Directory Layout section for details.
-path.logs
Set the default location for log files. See the Directory Layout section for details.
-v
Enable verbose output to show INFO-level messages.
-version
Display the Beat version and exit.