- Packetbeat Reference: other versions:
- Overview
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
- Get help
- Debug
- Record a trace
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Packetbeat doesn’t see any packets when using mirror ports
- Packetbeat can’t capture traffic from Windows loopback interface
- Packetbeat is missing long running transactions
- Packetbeat isn’t capturing MySQL performance data
- Packetbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Fields show up as nested JSON in Kibana
- Contributing to Beats
Capture TLS traffic
editCapture TLS traffic
editTLS is a cryptographic protocol that provides secure communications on top of an existing application protocol, like HTTP or MySQL.
Packetbeat intercepts the initial handshake in a TLS connection and extracts useful information that helps operators diagnose problems and strengthen the security of their network and systems. It does not decrypt any information from the encapsulated protocol, nor does it reveal any sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 and SSL 3.0 are supported.
It works by intercepting the client and server "hello" messages, which contain the negotiated parameters for the connection such as cryptographic ciphers and protocol versions. It can also intercept TLS alerts, which are sent by one of the parties to signal a problem with the negotiation, such as an expired certificate or a cryptographic error.
An example of indexed event:
"tls": { "handshake_completed": true, "server_certificate": { "version": 3, "issuer": { "organization": "GlobalSign nv-sa", "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "country": "BE" }, "subject": { "organization": "Fastly, Inc.", "locality": "San Francisco", "province": "California", "common_name": "r2.shared.global.fastly.net", "country": "US" }, "not_before": "2017-11-30T16:52:06.000Z", "not_after": "2018-11-09T20:51:05.000Z", "alternative_names": [ "elastic.co" ], "serial_number": "19260053873395556258503998518", "signature_algorithm": "SHA256-RSA", "public_key_algorithm": "RSA" }, "server_certificate_chain": [ { "not_after": "2025-08-19T00:00:00.000Z", "version": 3, "serial_number": "1438827024893517455116777811697460", "signature_algorithm": "SHA256-RSA", "public_key_algorithm": "RSA", "not_before": "2015-08-19T00:00:00.000Z", "issuer": { "organizational_unit": "Root CA", "common_name": "GlobalSign Root CA", "country": "BE", "organization": "GlobalSign nv-sa" }, "subject": { "country": "BE", "organization": "GlobalSign nv-sa", "common_name": "GlobalSign CloudSSL CA - SHA256 - G3" } } ], "resumed": false, "client_hello": { "extensions": { "server_name_indication": [ "www.elastic.co" ], "supported_groups": [ "secp256r1", "secp384r1", "secp521r1" ], "ec_points_formats": [ "uncompressed" ], "signature_algorithms": [ "rsa_pkcs1_sha256", "rsa_pkcs1_sha1", [...] ], "application_layer_protocol_negotiation": [ "h2", "h2-16", [...] ], }, "version": "3.3", "supported_ciphers": [ "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", [...] ], "supported_compression_methods": [ "NULL" ] }, "server_hello": { "extensions": { "ec_points_formats": [ "uncompressed", "ansiX962_compressed_prime", "ansiX962_compressed_char2" ], "application_layer_protocol_negotiation": [ "h2" ], }, "version": "3.3", "selected_cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "selected_compression_method": "NULL" }, }
The client_hello contains the algorithms and extensions supported by the
client, as well as the maximum TLS version it supports (3.3).
The server_hello contains the final settings for the TLS session: The
selected cipher, compression method, TLS version to use and other extensions
such as application layer protocol negotiation (ALPN).
The resumed key indicates if the session has been resumed (true) or
a full handshake has been performed (false). When true, an additional field
is present: resumption_method which is id if the session has been
resumed using session IDs (stateful) or ticket if it has resumed using
session tickets (stateless).
See the TLS fields section for more detailed information.
The following settings are specific to the TLS protocol. Here is a sample
configuration for the tls section of the packetbeat.yml config file:
packetbeat.protocols: - type: tls send_certificates: true include_raw_certificates: false fingerprints: [ sha1, sha256 ]
Configuration options
editThe send_certificates and include_raw_certificates settings are useful
for limiting the amount of data Packetbeat indexes, as multiple certificates
are usually exchanged in a single transaction, and those can take a considerable
amount of storage.
Also see Common protocol options.
send_certificates
editThis setting causes the certificates presented by the client and server to be
included in the event. The server’s certificate is indexed in the
server_certificate field and its certification chain in the
server_certificate_chain field. For the client, the
client_certificate and client_certificate_chain fields are used.
The default is true.
include_raw_certificates
editWhen send_certificates is true, you can set include_raw_certificates to
include the raw certificate encoded in PEM format as a raw field.
If send_certificates is false, this setting is ignored. The default is false.
fingerprints
editDefines a list of hash algorithms to calculate the certificate’s fingerprints.
Valid values are sha1, sha256 and md5.
If send_certificates is false, this setting is ignored. The default is to
output SHA-1 fingerprints.