泰德苏
2018-08-12 17:14
我在windows执行了
C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe -e -c es.yml -strict.perms=false
结果如下:
2018/08/12 09:09:36.076161 beat.go:346: CRIT Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't unde
rstand device index 0: Looking for device index 0, but there are only 0 devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device ind
ex 0, but there are only 0 devices
##########
应该是es.yml中关于packetbeat.interfaces.device: 0的,没有设置正确,尝试了eth0,lo0都不会正确重启。
并且在windows环境中执行packetbeat devices
C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device index 0, but there are only 0 devices
C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
es.yml 的配置是什么?另外你的 http 包是否走的这个网卡?
packetbeat.interfaces.device: 0
windows 上,网卡设备名称会比较长。所以 packetbeat 单独提供了一个参数:packetbeat -device
,返回整个可用网卡设备列表数组,你可以直接写数组下标来代表这个设备。比如:device: 0
。
抓到了一些包,但是没有看到视频中的http的包:都是些UDP
2018/08/12 10:46:27.756161 sniffer.go:145: INFO Resolved device index 1 to device: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3}
2018/08/12 10:46:27.812161 beat.go:233: INFO packetbeat start running.
{"@timestamp":"2018-08-12T10:46:40.000Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:46:40.546161 client.go:667: INFO Connected to Elasticsearch version 5.6.3
2018/08/12 10:46:40.547161 output.go:317: INFO Trying to load template for client: http://localhost:9200
2018/08/12 10:46:40.560161 output.go:341: INFO Template already exists and will not be overwritten.
{"@timestamp":"2018-08-12T10:46:49.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:46:56.488161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=2 libbeat.es.publish.read_bytes=1061 libbeat.es.pub
lish.write_bytes=1740 libbeat.es.published_and_acked_events=2 libbeat.publisher.messages_in_worker_queues=4 libbeat.publisher.published_events=2
{"@timestamp":"2018-08-12T10:46:59.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
{"@timestamp":"2018-08-12T10:47:09.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
{"@timestamp":"2018-08-12T10:47:19.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:47:26.486161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=3 libbeat.es.publish.read_bytes=934 libbeat.es.publ
ish.write_bytes=2250 libbeat.es.published_and_acked_events=3 libbeat.publisher.messages_in_worker_queues=6 libbeat.publisher.published_events=3
{"@timestamp":"2018-08-12T10:47:29.997Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":true,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac":
"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:47:56.484161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=1 libbeat.es.publish.read_bytes=313 libbeat.es.publ
ish.write_bytes=749 libbeat.es.published_and_acked_events=1 libbeat.publisher.messages_in_worker_queues=2 libbeat.publisher.published_events=1
2018/08/12 10:47:57.357161 packetbeat.go:184: INFO Packetbeat send stop signal
2018/08/12 10:47:57.821161 sniffer.go:384: INFO Input finish. Processed 3 packets. Have a nice day!
2018/08/12 10:47:57.821161 util.go:48: INFO flows worker loop stopped
2018/08/12 10:47:57.821161 metrics.go:51: INFO Total non-zero values: libbeat.es.call_count.PublishEvents=6 libbeat.es.publish.read_bytes=2308 libbeat.es.publish.write
_bytes=4739 libbeat.es.published_and_acked_events=6 libbeat.publisher.messages_in_worker_queues=12 libbeat.publisher.published_events=6
2018/08/12 10:47:57.822161 metrics.go:52: INFO Uptime: 1m31.467s
2018/08/12 10:47:57.822161 beat.go:237: INFO packetbeat stopped.
装完WinPcap值后出现了device
C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ packetbeat.exe -devices
0: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912} (Microsoft) (fe80::180d:af3b:a6bf:fa44 0.0.0.0)
1: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3} (Oracle) (fe80::50d7:4301:eee3:eea6 192.168.56.1)
2: \Device\NPF_{21E1A7C8-3D68-4F67-A214-1330E0D60952} (Intel(R) Ethernet Connection I217-LM) (fe80::e03c:550d:6d78:5fba 172.26.5.94)
3: \Device\NPF_{563D9FC1-6EF8-41BC-8C24-DF29D745C969} (VMware Virtual Ethernet Adapter) (fe80::e95e:9b4e:ed53:e7f1 192.168.23.1)
4: \Device\NPF_{626EF6A1-89EF-4D75-9D39-D2423A99BA7B} (Microsoft) (fe80::f407:802d:9f:cfa1 192.168.0.102)
但是我把这五个值更新在es.yml并没有发现有什么包被抓到,以0为例,其余都是类似的log
2018/08/12 09:39:59.830161 sniffer.go:145: INFO Resolved device index 0 to device: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912}
2018/08/12 09:39:59.883161 beat.go:233: INFO packetbeat start running.
2018/08/12 09:40:28.697161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:40:58.695161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:41:28.693161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:41:51.367161 packetbeat.go:184: INFO Packetbeat send stop signal
2018/08/12 09:41:51.427161 sniffer.go:384: INFO Input finish. Processed 0 packets. Have a nice day!
C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ ppacketbeat.exe -devices
No devices found.
Elastic Stack入门
32729 学习 · 76 问题
相似问题