elastic
Add support to sniff multiple interfaces
Unfortunately on OSX there is no any device like it is on Linux in order to monitor multiple interfaces. On OSX, a packetbeat instance can monitor a single interface. In order to monitor two interfaces (e.g. lo0 and en0), you need to start two packetbeat instances, one sniffing on lo0 and one on en0. It would be nice to be able to add multiple devices in the configuration file and then create multiple goroutines, one sniffing a single interface.
Requested by https://discuss.elastic.co/t/unable-to-get-mysql-stats-using-packet-beats/29719
Also requested here: https://discuss.elastic.co/t/listening-on-multiple-but-not-all-interfaces/66139
Is there a way in windows server to create virtual devices and route all the traffic of all devices to such a local, virtual device? Then, this virtual device could be captured as a workaround
Also here: https://discuss.elastic.co/t/how-to-do-sniff-data-from-all-connected-network-in-windows-packetbeat/146734?u=cwurm
We are trying to build a SOCaas using packetbeat and have the same need. For context (in windows) a laptop may have multiple devices, wifi, bluetooth, wired, virtual adapters such as VMWare or Docker etc. The biggest issue we run into is that packetbeat may identify them differently each boot / network connection. So setting to device 0 is sometimes the wired network, sometimes is wifi and sometimes is a virtual device. As a SOC we are interested in capturing all internet traffic meaning we want to always capture all wired and wireless (don't necessarily care about blue tooth or virtual in most cases but would rather capture all than just one). An "ANY" option like in Linux would be great. Even if that translates down to packet beat itself launching threads as needed to capture each device.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}
A lot of machines are using only WIndows OS.It would be really helpful if we have any option for device interfaces. Even a turnaround to capture traffic would be helpful in Packetbeat
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Hi! We just realized that we haven't looked into this issue in a while. We're sorry!
We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!
Still would be nice feature for Windows endpoints. At the least an update on capability if this is no longer relevant and is possible.
I'm still amazed this issue was opened on 'Sep 22, 2015' and is still open.
Any progress on this? It has been open for 9 years.
It would also be useful to be able to specify a pattern on which interfaces to capture from. For example, say host has:
- lo
- eth0
- eth1
- docker0
Being to specify this (currently fails): packetbeat.interfaces.device: eth*
Hi! We just realized that we haven't looked into this issue in a while. We're sorry!
We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!
@nfritts is your team planning to work on this or should we close this issue to avoid users to have false expectations?
