                        课程
                    
                        /云计算&大数据
                        
                            /大数据
                        
                        /Elastic Stack入门

packetbeat 无法启动

我在windows执行了

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe -e -c es.yml -strict.perms=false

结果如下：

2018/08/12 09:09:36.076161 beat.go:346: CRIT Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't unde
rstand device index 0: Looking for device index 0, but there are only 0 devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device ind
ex 0, but there are only 0 devices

##########

应该是es.yml中关于packetbeat.interfaces.device: 0的，没有设置正确，尝试了eth0，lo0都不会正确重启。

并且在windows环境中执行packetbeat devices

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ Ppacketbeat.exe devices
Exiting: Initializing sniffer failed: Error creating sniffer: Couldn't understand device index 0: Looking for device index 0, but there are only 0 devices

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86

泰德苏

2018-08-12

源自：Elastic Stack入门 3-7

关注问题我要回答

4831

操作

收起

5 回答

rockybean
2018-08-12

es.yml 的配置是什么？另外你的 http 包是否走的这个网卡？

0 回复有任何疑惑可以回复我~

收起回答

泰德苏提问者

es.yml原来用的是下载的那个资料里的，但是用了什么也没有。然后我把packetbeat.full修改了下，能抓到一些UDP的包。我是把所有的packbeat devices识别到的设备从0,4都试了一下。所以http是否存在可能走除了packebeat devices 结果之外的设备？

2018-08-13 回复有任何疑惑可以回复我~

fngqng
2019-04-09

packetbeat.interfaces.device: 0

windows 上，网卡设备名称会比较长。所以 packetbeat 单独提供了一个参数：packetbeat -device，返回整个可用网卡设备列表数组，你可以直接写数组下标来代表这个设备。比如：device: 0。

0 回复有任何疑惑可以回复我~

收起回答

泰德苏提问者
2018-08-12

抓到了一些包，但是没有看到视频中的http的包：都是些UDP

2018/08/12 10:46:27.756161 sniffer.go:145: INFO Resolved device index 1 to device: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3}
2018/08/12 10:46:27.812161 beat.go:233: INFO packetbeat start running.
{"@timestamp":"2018-08-12T10:46:40.000Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:46:40.546161 client.go:667: INFO Connected to Elasticsearch version 5.6.3
2018/08/12 10:46:40.547161 output.go:317: INFO Trying to load template for client: http://localhost:9200
2018/08/12 10:46:40.560161 output.go:341: INFO Template already exists and will not be overwritten.
{"@timestamp":"2018-08-12T10:46:49.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:46:56.488161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=2 libbeat.es.publish.read_bytes=1061 libbeat.es.pub
lish.write_bytes=1740 libbeat.es.published_and_acked_events=2 libbeat.publisher.messages_in_worker_queues=4 libbeat.publisher.published_events=2
{"@timestamp":"2018-08-12T10:46:59.999Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
{"@timestamp":"2018-08-12T10:47:09.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
{"@timestamp":"2018-08-12T10:47:19.998Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":false,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac"
:"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:47:26.486161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=3 libbeat.es.publish.read_bytes=934 libbeat.es.publ
ish.write_bytes=2250 libbeat.es.published_and_acked_events=3 libbeat.publisher.messages_in_worker_queues=6 libbeat.publisher.published_events=3
{"@timestamp":"2018-08-12T10:47:29.997Z","beat":{"hostname":"CN00200036","name":"CN00200036","version":"5.6.4"},"dest":{"ip":"192.168.56.255","mac":"ff:ff:ff:ff:ff:ff",
"port":137},"final":true,"flow_id":"EQIA////DP////8U//8BAAEKACcAABT////////AqDgBwKg4/4kAiQA","last_time":"2018-08-12T10:46:38.814Z","source":{"ip":"192.168.56.1","mac":
"0a:00:27:00:00:14","port":137,"stats":{"net_bytes_total":276,"net_packets_total":3}},"start_time":"2018-08-12T10:46:37.314Z","transport":"udp","type":"flow"}
2018/08/12 10:47:56.484161 metrics.go:39: INFO Non-zero metrics in the last 30s: libbeat.es.call_count.PublishEvents=1 libbeat.es.publish.read_bytes=313 libbeat.es.publ
ish.write_bytes=749 libbeat.es.published_and_acked_events=1 libbeat.publisher.messages_in_worker_queues=2 libbeat.publisher.published_events=1
2018/08/12 10:47:57.357161 packetbeat.go:184: INFO Packetbeat send stop signal
2018/08/12 10:47:57.821161 sniffer.go:384: INFO Input finish. Processed 3 packets. Have a nice day!
2018/08/12 10:47:57.821161 util.go:48: INFO flows worker loop stopped
2018/08/12 10:47:57.821161 metrics.go:51: INFO Total non-zero values: libbeat.es.call_count.PublishEvents=6 libbeat.es.publish.read_bytes=2308 libbeat.es.publish.write
_bytes=4739 libbeat.es.published_and_acked_events=6 libbeat.publisher.messages_in_worker_queues=12 libbeat.publisher.published_events=6
2018/08/12 10:47:57.822161 metrics.go:52: INFO Uptime: 1m31.467s
2018/08/12 10:47:57.822161 beat.go:237: INFO packetbeat stopped.

0 回复有任何疑惑可以回复我~

收起回答

泰德苏提问者
2018-08-12

装完WinPcap值后出现了device

C:\Users\ehagsuu\Desktop\elastic\packetbeat-5.6.4-windows-x86
λ packetbeat.exe -devices
0: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912} (Microsoft) (fe80::180d:af3b:a6bf:fa44 0.0.0.0)
1: \Device\NPF_{5E472DB4-3BFB-4696-A0DF-4A1BA12EBEB3} (Oracle) (fe80::50d7:4301:eee3:eea6 192.168.56.1)
2: \Device\NPF_{21E1A7C8-3D68-4F67-A214-1330E0D60952} (Intel(R) Ethernet Connection I217-LM) (fe80::e03c:550d:6d78:5fba 172.26.5.94)
3: \Device\NPF_{563D9FC1-6EF8-41BC-8C24-DF29D745C969} (VMware Virtual Ethernet Adapter) (fe80::e95e:9b4e:ed53:e7f1 192.168.23.1)
4: \Device\NPF_{626EF6A1-89EF-4D75-9D39-D2423A99BA7B} (Microsoft) (fe80::f407:802d:9f:cfa1 192.168.0.102)

但是我把这五个值更新在es.yml并没有发现有什么包被抓到，以0为例，其余都是类似的log

2018/08/12 09:39:59.830161 sniffer.go:145: INFO Resolved device index 0 to device: \Device\NPF_{4B5EBB52-6745-4792-A1B6-9D0B83004912}
2018/08/12 09:39:59.883161 beat.go:233: INFO packetbeat start running.
2018/08/12 09:40:28.697161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:40:58.695161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:41:28.693161 metrics.go:34: INFO No non-zero metrics in the last 30s
2018/08/12 09:41:51.367161 packetbeat.go:184: INFO Packetbeat send stop signal
2018/08/12 09:41:51.427161 sniffer.go:384: INFO Input finish. Processed 0 packets. Have a nice day!