packetbeat 无法启动

来源:3-7 Packetbeat演示

泰德苏

2018-08-12 17:14

我在windows执行了

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe  -e -c es.yml -strict.perms=false


结果如下:

2018/08/12 09:09:36.076161 beat.go:346: CRIT Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't unde
rstand device index 0: Looking for device index 0, but there are only 0 devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device ind
ex 0, but there are only 0 devices

##########

应该是es.yml中关于packetbeat.interfaces.device: 0的,没有设置正确,尝试了eth0,lo0都不会正确重启。

并且在windows环境中执行packetbeat devices

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ
Ppacketbeat.exe devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device index 0, but there are only 0 devices

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86

写回答 关注

5回答

  • rockybean
    2018-08-12 21:43:04

    es.yml 的配置是什么?另外你的 http 包是否走的这个网卡?

    泰德苏

    es.yml原来用的是下载的那个资料里的,但是用了什么也没有。然后我把packetbeat.full修改了下,能抓到一些UDP的包。我是把所有的packbeat devices识别到的设备从0,4都试了一下。所以http是否存在可能走除了packebeat devices 结果之外的设备?

    2018-08-13 16:34:58

    共 1 条回复 >

  • fngqng
    2019-04-09 12:37:34

    packetbeat.interfaces.device: 0

     windows 上,网卡设备名称会比较长。所以 packetbeat 单独提供了一个参数:packetbeat -device,返回整个可用网卡设备列表数组,你可以直接写数组下标来代表这个设备。比如:device: 0


  • 泰德苏
    2018-08-12 18:49:40

    抓到了一些包,但是没有看到视频中的http的包:都是些UDP

    2018/08/12 10:46:27.756161 sniffer.go:145: INFO Resolved device index 1 to device: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3}                                   
    2018/08/12 10:46:27.812161 beat.go:233: INFO packetbeat start running.                                                                                                  
    {"@timestamp":"2018-08-12T10:46:40.000Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
    "port":137}
    ,"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
    :"0a:00:27:00:00:14","port":137,"stats":
    {"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}         
    2018/08/12 10:46:40.546161 client.go:667: INFO Connected to Elasticsearch version 5.6.3                                                                                 
    2018/08/12 10:46:40.547161 output.go:317: INFO Trying to load template for client: http://localhost:9200                                                                
    2018/08/12 10:46:40.560161 output.go:341: INFO Template already exists and will not be overwritten.                                                                     
    {"@timestamp":"2018-08-12T10:46:49.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
    "port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
    :"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}         
    2018/08/12 10:46:56.488161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=2 libbeat.es.publish.read_bytes=1061 libbeat.es.pub
    lish.write_bytes=1740 libbeat.es.published_and_acked_events=2 libbeat.publisher.messages_in_worker_queues=4 libbeat.publisher.published_events=2                        
    {"@timestamp":"2018-08-12T10:46:59.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
    "port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
    :"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}         
    {"@timestamp":"2018-08-12T10:47:09.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
    "port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
    :"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}         
    {"@timestamp":"2018-08-12T10:47:19.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
    "port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
    :"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}         
    2018/08/12 10:47:26.486161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=3 libbeat.es.publish.read_bytes=934 libbeat.es.publ
    ish.write_bytes=2250 libbeat.es.published_and_acked_events=3 libbeat.publisher.messages_in_worker_queues=6 libbeat.publisher.published_events=3                         
    {"@timestamp":"2018-08-12T10:47:29.997Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
    "port":137},"final":true,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac":
    "0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}          
    2018/08/12 10:47:56.484161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=1 libbeat.es.publish.read_bytes=313 libbeat.es.publ
    ish.write_bytes=749 libbeat.es.published_and_acked_events=1 libbeat.publisher.messages_in_worker_queues=2 libbeat.publisher.published_events=1                          
    2018/08/12 10:47:57.357161 packetbeat.go:184: INFO Packetbeat send stop signal                                                                                          
    2018/08/12 10:47:57.821161 sniffer.go:384: INFO Input finish. Processed 3 packets. Have a nice day!                                                                     
    2018/08/12 10:47:57.821161 util.go:48: INFO flows worker loop stopped                                                                                                   
    2018/08/12 10:47:57.821161 metrics.go:51: INFO Total non-zero values:  libbeat.es.call_count.PublishEvents=6 libbeat.es.publish.read_bytes=2308 libbeat.es.publish.write
    _bytes=4739 libbeat.es.published_and_acked_events=6 libbeat.publisher.messages_in_worker_queues=12 libbeat.publisher.published_events=6                                 
    2018/08/12 10:47:57.822161 metrics.go:52: INFO Uptime: 1m31.467s                                                                                                        
    2018/08/12 10:47:57.822161 beat.go:237: INFO packetbeat stopped.                                                                                                        
                                                                                                                                                                           

  • 泰德苏
    2018-08-12 17:49:53

    装完WinPcap值后出现了device

    C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
    λ packetbeat.exe  -devices
    0: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912} (Microsoft) (fe80::180d:af3b:a6bf:fa44 0.0.0.0)
    1: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3} (Oracle) (fe80::50d7:4301:eee3:eea6 192.168.56.1)
    2: \Device\NPF_{21E1A7C8-3D68-4F67-A214-1330E0D60952} (Intel(R) Ethernet Connection I217-LM) (fe80::e03c:550d:6d78:5fba 172.26.5.94)
    3: \Device\NPF_{563D9FC1-6EF8-41BC-8C24-DF29D745C969} (VMware Virtual Ethernet Adapter) (fe80::e95e:9b4e:ed53:e7f1 192.168.23.1)
    4: \Device\NPF_{626EF6A1-89EF-4D75-9D39-D2423A99BA7B} (Microsoft) (fe80::f407:802d:9f:cfa1 192.168.0.102)

    但是我把这五个值更新在es.yml并没有发现有什么包被抓到,以0为例,其余都是类似的log

    2018/08/12 09:39:59.830161 sniffer.go:145: INFO Resolved device index 0 to device: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912}
    2018/08/12 09:39:59.883161 beat.go:233: INFO packetbeat start running.
    2018/08/12 09:40:28.697161 metrics.go:34: INFO No non-zero metrics in the last 30s
    2018/08/12 09:40:58.695161 metrics.go:34: INFO No non-zero metrics in the last 30s
    2018/08/12 09:41:28.693161 metrics.go:34: INFO No non-zero metrics in the last 30s
    2018/08/12 09:41:51.367161 packetbeat.go:184: INFO Packetbeat send stop signal
    2018/08/12 09:41:51.427161 sniffer.go:384: INFO Input finish. Processed 0 packets. Have a nice day!

  • 泰德苏
    2018-08-12 17:19:37

    C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
    λ ppacketbeat.exe -devices
    No devices found.

Elastic Stack入门

Elasticsearch、Logstash、Beats、Kibana基础知识入门

32742 学习 · 76 问题

查看课程

相似问题