                        課程
                    
                        /云計(jì)算&大數(shù)據(jù)
                        
                            /大數(shù)據(jù)
                        
                        /Elastic Stack入門(mén)

packetbeat 無(wú)法啟動(dòng)

我在windows執(zhí)行了

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe? -e -c es.yml -strict.perms=false

結(jié)果如下：

2018/08/12 09:09:36.076161 beat.go:346: CRIT Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't unde
rstand device index 0: Looking for device index 0, but there are only 0 devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device ind
ex 0, but there are only 0 devices

##########

應(yīng)該是es.yml中關(guān)于packetbeat.interfaces.device: 0的，沒(méi)有設(shè)置正確，嘗試了eth0，lo0都不會(huì)正確重啟。

并且在windows環(huán)境中執(zhí)行packetbeat devices

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device index 0, but there are only 0 devices

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86

泰德蘇

2018-08-12

源自：Elastic Stack入門(mén) 3-7

關(guān)注問(wèn)題我要回答

5016

操作

收起

5 回答

rockybean
2018-08-12

es.yml 的配置是什么？另外你的 http 包是否走的這個(gè)網(wǎng)卡？

0 回復(fù) 有任何疑惑可以回復(fù)我~

收起回答

#1

泰德蘇提問(wèn)者

es.yml原來(lái)用的是下載的那個(gè)資料里的，但是用了什么也沒(méi)有。然后我把packetbeat.full修改了下，能抓到一些UDP的包。我是把所有的packbeat devices識(shí)別到的設(shè)備從0,4都試了一下。所以http是否存在可能走除了packebeat devices 結(jié)果之外的設(shè)備？

2018-08-13 回復(fù) 有任何疑惑可以回復(fù)我~

fngqng
2019-04-09

packetbeat.interfaces.device: 0

?windows 上，網(wǎng)卡設(shè)備名稱會(huì)比較長(zhǎng)。所以 packetbeat 單獨(dú)提供了一個(gè)參數(shù)：packetbeat -device，返回整個(gè)可用網(wǎng)卡設(shè)備列表數(shù)組，你可以直接寫(xiě)數(shù)組下標(biāo)來(lái)代表這個(gè)設(shè)備。比如：device: 0。

0 回復(fù) 有任何疑惑可以回復(fù)我~

收起回答

泰德蘇提問(wèn)者
2018-08-12

抓到了一些包，但是沒(méi)有看到視頻中的http的包：都是些UDP

2018/08/12 10:46:27.756161 sniffer.go:145: INFO Resolved device index 1 to device: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3}????????????????????????????????? ?
2018/08/12 10:46:27.812161 beat.go:233: INFO packetbeat start running.???????????????????????????????????????????????????????????????????????????????????????????????? ?
{"@timestamp":"2018-08-12T10:46:40.000Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}??????? ?
2018/08/12 10:46:40.546161 client.go:667: INFO Connected to Elasticsearch version 5.6.3??????????????????????????????????????????????????????????????????????????????? ?
2018/08/12 10:46:40.547161 output.go:317: INFO Trying to load template for client: http://localhost:9200?????????????????????????????????????????????????????????????? ?
2018/08/12 10:46:40.560161 output.go:341: INFO Template already exists and will not be overwritten.??????????????????????????????????????????????????????????????????? ?
{"@timestamp":"2018-08-12T10:46:49.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}??????? ?
2018/08/12 10:46:56.488161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=2 libbeat.es.publish.read_bytes=1061 libbeat.es.pub
lish.write_bytes=1740 libbeat.es.published_and_acked_events=2 libbeat.publisher.messages_in_worker_queues=4 libbeat.publisher.published_events=2?????????????????????? ?
{"@timestamp":"2018-08-12T10:46:59.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}??????? ?
{"@timestamp":"2018-08-12T10:47:09.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}??????? ?
{"@timestamp":"2018-08-12T10:47:19.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}??????? ?
2018/08/12 10:47:26.486161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=3 libbeat.es.publish.read_bytes=934 libbeat.es.publ
ish.write_bytes=2250 libbeat.es.published_and_acked_events=3 libbeat.publisher.messages_in_worker_queues=6 libbeat.publisher.published_events=3??????????????????????? ?
{"@timestamp":"2018-08-12T10:47:29.997Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":true,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac":
"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}???????? ?
2018/08/12 10:47:56.484161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=1 libbeat.es.publish.read_bytes=313 libbeat.es.publ
ish.write_bytes=749 libbeat.es.published_and_acked_events=1 libbeat.publisher.messages_in_worker_queues=2 libbeat.publisher.published_events=1???????????????????????? ?
2018/08/12 10:47:57.357161 packetbeat.go:184: INFO Packetbeat send stop signal???????????????????????????????????????????????????????????????????????????????????????? ?
2018/08/12 10:47:57.821161 sniffer.go:384: INFO Input finish. Processed 3 packets. Have a nice day!??????????????????????????????????????????????????????????????????? ?
2018/08/12 10:47:57.821161 util.go:48: INFO flows worker loop stopped????????????????????????????????????????????????????????????????????????????????????????????????? ?
2018/08/12 10:47:57.821161 metrics.go:51: INFO Total non-zero values:? libbeat.es.call_count.PublishEvents=6 libbeat.es.publish.read_bytes=2308 libbeat.es.publish.write
_bytes=4739 libbeat.es.published_and_acked_events=6 libbeat.publisher.messages_in_worker_queues=12 libbeat.publisher.published_events=6??????????????????????????????? ?
2018/08/12 10:47:57.822161 metrics.go:52: INFO Uptime: 1m31.467s?????????????????????????????????????????????????????????????????????????????????????????????????????? ?
2018/08/12 10:47:57.822161 beat.go:237: INFO packetbeat stopped.?????????????????????????????????????????????????????????????????????????????????????????????????????? ?
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

0 回復(fù) 有任何疑惑可以回復(fù)我~

收起回答

泰德蘇提問(wèn)者
2018-08-12

裝完WinPcap值后出現(xiàn)了device

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ packetbeat.exe? -devices
0: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912} (Microsoft) (fe80::180d:af3b:a6bf:fa44 0.0.0.0)
1: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3} (Oracle) (fe80::50d7:4301:eee3:eea6 192.168.56.1)
2: \Device\NPF_{21E1A7C8-3D68-4F67-A214-1330E0D60952} (Intel(R) Ethernet Connection I217-LM) (fe80::e03c:550d:6d78:5fba 172.26.5.94)
3: \Device\NPF_{563D9FC1-6EF8-41BC-8C24-DF29D745C969} (VMware Virtual Ethernet Adapter) (fe80::e95e:9b4e:ed53:e7f1 192.168.23.1)
4: \Device\NPF_{626EF6A1-89EF-4D75-9D39-D2423A99BA7B} (Microsoft) (fe80::f407:802d:9f:cfa1 192.168.0.102)

但是我把這五個(gè)值更新在es.yml并沒(méi)有發(fā)現(xiàn)有什么包被抓到，以0為例，其余都是類(lèi)似的log

2018/08/12 09:39:59.830161 sniffer.go:145: INFO Resolved device index 0 to device: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912}
2018/08/12 09:39:59.883161 beat.go:233: INFO packetbeat start running.
2018/08/12 09:40:28.697161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:40:58.695161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:41:28.693161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:41:51.367161 packetbeat.go:184: INFO Packetbeat send stop signal
2018/08/12 09:41:51.427161 sniffer.go:384: INFO Input finish. Processed 0 packets. Have a nice day!