网络数据包分析器 Packetbeat 是第一个引入的 beat。 Packetbeat 捕获服务器之间的网络流量，因此可用于应用程序和性能监视。Packetbeat 可以安装在受监视的服务器上，也可以安装在其专用服务器上。 Packetbeat 跟踪网络流量，解码协议并记录每笔交易的数据。 Packetbeat 支持的协议包括：DNS，HTTP，ICMP，Redis，MySQL，MongoDB，Cassandra 等。理解像 Packetbeat 这样的网络数据包分析系统的价值的最佳方法是根据自己的流量进行尝试。更多信息，请参阅Elastic 的官方网站 Packetbeat: Network Analytics Using Elasticsearch | Elastic。

要开始你自己的 Packetbeat 设置，请安装和配置以下相关产品：

• 用于存储和索引数据的 Elasticsearch
• 用户界面的 Kibana

如果你还没有完成自己的 Elasticsearch 及 Kibana 的安装，请参阅我们之前的文章 “Elastic：开发者上手指南”。

对于有经验的开发者来说，我们可以直接进入到 Elastic 公司的官网直接下载，并安装。下载地址为 Download Beats: Data Shippers for Elasticsearch | Elastic。当我们下载时，必须注意选择和自己 Elasticsearch 想匹配的版本。我们可以可以在自己的电脑上直接使用命令来进行安装。你可以根据自己的版本替换下面命令行中的7.6.1版本号码。

deb:

sudo apt-get install libpcap0.8
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-amd64.deb
sudo dpkg -i packetbeat-7.6.1-amd64.deb

rpm:

sudo yum install libpcap
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-x86_64.rpm
sudo rpm -vi packetbeat-7.6.1-x86_64.rpm

mac:

curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-darwin-x86_64.tar.gz
tar xzvf packetbeat-7.6.1-darwin-x86_64.tar.gz

brew:

brew tap elastic/tap
brew install elastic/tap/packetbeat-full

这将安装最新发行的 Packetbeat 默认发行版。 要安装 OSS 发行版，请指定 elastic/tap/packetbeat-oss。

linux:

curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.6.1-linux-x86_64.tar.gz
tar xzvf packetbeat-7.6.1-linux-x86_64.tar.gz

win:

下载并安装实现 libpcap 接口的数据 sniffing 库，例如 Npcap。

如果使用 Npcap，请确保以 WinPcap API 兼容模式安装它。 如果你打算从 loopback 设备捕获流量（127.0.0.1流量），则还选择支持 loopback 流量的选项。

• 从下载页面下载 Packetbeat Windows zip 文件
• 将 zip 文件的内容提取到 C:\Program Files
• 将 packetbeat- <版本> -windows 目录重命名为 Packetbeat
• 以管理员身份打开 PowerShel l提示符（右键单击 PowerShell 图标，然后选择“以管理员身份运行”）。

在 PowerShell 提示符下，运行以下命令以将 Packetbeat 安装为 Windows 服务：

PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1

 请注意：如果在系统上禁用了脚本执行，则需要为当前会话设置执行策略以允许脚本运行。 例如：

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1

在使用Packetbeat之前，我们必须配置 Packetbeat 才可以使它正常工作。在 Packetbeat 的安装目录下，有一个叫做 packetbeat.yml 的配置文件（针对 Linux 的情况，它位于 /etc/packetbeat/ 目录下）。在最简单的情况下，我们必须修改：

output.elasticsearch:
  hosts: ["myEShost:9200"]
  username: "filebeat_internal"
  password: "YOUR_PASSWORD" 
setup.kibana:
  host: "mykibanahost:5601"
  username: "my_kibana_user"  
  password: "YOUR_PASSWORD"

我们需要把 Elasticsearch 及 Kibana 的地址填入到上面的位置。这样我们我们就可以把数据传入到 Elasticsearch 中，并在 Kibana 中的 Dashboard 中进行展示。更多的配置请参阅 Elastic 的官方文档 “Configure Packetbeat”。

等修改完我们的 packetbeat.yml 文件后，我们可以使用如下的命令来检查修改后的文件是否正确：

sudo packetbeat test config -e

如果你看到如下的类似的输出：

$ sudo packetbeat test config -e
2020-03-17T16:18:14.995+0800	INFO	instance/beat.go:622	Home path: [/usr/share/packetbeat] Config path: [/etc/packetbeat] Data path: [/var/lib/packetbeat] Logs path: [/var/log/packetbeat]
2020-03-17T16:18:14.995+0800	INFO	instance/beat.go:630	Beat ID: 7855ec98-8eb1-4639-a65f-936acfc2cabd
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:958	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/packetbeat", "data": "/var/lib/packetbeat", "home": "/usr/share/packetbeat", "logs": "/var/log/packetbeat"}, "type": "packetbeat", "uuid": "7855ec98-8eb1-4639-a65f-936acfc2cabd"}}}
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:967	Build info	{"system_info": {"build": {"commit": "c1c49432bdc53563e63e9d684ca3e9843626e448", "libbeat": "7.6.1", "time": "2020-02-28T23:00:10.000Z", "version": "7.6.1"}}}
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:970	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":6,"version":"go1.13.8"}}}
2020-03-17T16:18:14.996+0800	INFO	[beat]	instance/beat.go:974	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-03-17T05:49:48+08:00","containerized":false,"name":"liuxg","ip":["127.0.0.1/8","::1/128","192.168.43.192/24","fe80::4335:a826:a61b:c231/64"],"kernel_version":"5.3.0-40-generic","mac":["08:00:27:2a:f0:fa"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.4 LTS (Bionic Beaver)","major":18,"minor":4,"patch":4,"codename":"bionic"},"timezone":"CST","timezone_offset_sec":28800,"id":"aa0be63698ff4d65848345a09778d58b"}}}
2020-03-17T16:18:14.997+0800	INFO	[beat]	instance/beat.go:1003	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/etc/packetbeat", "exe": "/usr/share/packetbeat/bin/packetbeat", "name": "packetbeat", "pid": 5187, "ppid": 5186, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2020-03-17T16:18:14.350+0800"}}}
2020-03-17T16:18:14.997+0800	INFO	instance/beat.go:298	Setup Beat: packetbeat; Version: 7.6.1
2020-03-17T16:18:14.997+0800	INFO	[index-management]	idxmgmt/std.go:182	Set output.elasticsearch.index to 'packetbeat-7.6.1' as ILM is enabled.
2020-03-17T16:18:14.997+0800	INFO	elasticsearch/client.go:174	Elasticsearch url: http://192.168.43.220:9200
2020-03-17T16:18:14.997+0800	INFO	[publisher]	pipeline/module.go:110	Beat name: liuxg
2020-03-17T16:18:14.997+0800	INFO	procs/procs.go:105	Process watcher disabled
Config OK

则表明我们的配置是成功的。

等配置完我们的 Packetbeat，并配置完后我们运行如下的命令进行 setup (Linux):

sudo packetbeat setup

$ sudo packetbeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards

上面显示我们已经成功地安装了 Dashboard 及配置 Index。

接下来我们使用如下的命令来启动这个 packetbeat 的服务 （Linux)：

sudo service packetbeat start

我们可以在 Linux 下查看这个服务：

$ systemctl status packetbeat
● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/packetbeat.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-17 16:02:56 CST; 38s ago
     Docs: https://www.elastic.co/products/beats/packetbeat
 Main PID: 4355 (packetbeat)
    Tasks: 15 (limit: 4915)
   CGroup: /system.slice/packetbeat.service
           └─4355 /usr/share/packetbeat/bin/packetbeat -e -c /etc/packetbeat/packetbeat.yml -path.ho

上面显示我们的 packetbeat 正在运行正常。

这个时候打开我们的 Kibana，并选择 Dashboard:

点击上面的 [Packetbeat] Flow ECS：

如果你已经看见上面的一些数据，则表明我们的 Packetbeat 已经是安装正确的。

参考：

【1】Packetbeat quick start: installation and configuration | Packetbeat Reference [8.2] | Elastic