beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

Add support for sniffing L2GRE encapsulated traffic to Packetbeat

Open GitSweendog opened this issue 7 years ago • 11 comments

We've used Packetbeat for many purposes, and appreciate the ability to generate JSON data directly off the wire. Normally, we can place a network sniffer running beats right on a system connected to a span or tap to get the data we need, but in some cases, we want to use a remote sensor.

Several switch, router, and network aggregation and monitoring equipment (Gigamon, Cisco, Aruba etc.) can transmit locally monitored traffic over a layer 2 transport GRE tunnel. Essentially, a GRE connection is nailed up between the local system (Sniffer, Gigamon, etc.) and all traffic seen on the monitor port is encapsulated in GRE and sent up to the remote host.

The entire layer two (Ethernet) packets are included in the tunnel, so all that should need be done is to strip or ignore the first 37 bytes of data, which will expose a full frame. Then Packetbeat could work as normal when reassembling flows and decoding the protocol traffic.

Below is a screenshot of a Wireshark dissection of a sample DNS query encapsulated in GRE.

image

GitSweendog avatar Jun 28 '18 13:06 GitSweendog

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jul 09 '20 00:07 botelastic[bot]

Any thoughts on this Elastic folks? Would rather not have this issue auto-closed because of a lack of response

rwaweber avatar Jul 09 '20 13:07 rwaweber

I second that.

GitSweendog avatar Jul 09 '20 13:07 GitSweendog

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine avatar May 10 '21 08:05 elasticmachine

This would be super useful. Having this in telecom networks sending SIP off to elastic would be pretty great.

Zeal0us avatar Apr 01 '22 18:04 Zeal0us

Any updates on this issue. I've got a similar problem where I have raw data being sent to elastic over a GRE tunnel, but have no way of getting the data processed in Elastic. Would standing up a server in between running Packetbeat resovle this issue?

cductive avatar Dec 14 '22 02:12 cductive

watching

3wjs avatar Oct 27 '23 05:10 3wjs

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

elasticmachine avatar Jan 31 '24 19:01 elasticmachine

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar Jan 30 '25 19:01 botelastic[bot]

Interested in this as well, if there are any updates to this.

Rabenherz112 avatar Jul 15 '25 09:07 Rabenherz112

@nfritts is your team planning to work on this or should we close this issue to avoid users to have false expectations?

pierrehilbert avatar Dec 08 '25 08:12 pierrehilbert