You need to log in to create posts and topics.

Installing Packetbeat For Windows

Packetbeat is a real-time network packet analyzer that you can use with Elasticsearch to provide an application monitoring and performance analytics system. Packetbeat completes the Beats platform by providing visibility between the servers of your network.

Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.

Packetbeat can help you easily notice issues with your back-end application, such as bugs or performance problems, and it makes troubleshooting them - and therefore fixing them - much faster.

Packetbeat sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. Currently, Packetbeat supports the following protocols:

  • ICMP (v4 and v6)
  • DHCP (v4)
  • DNS
  • HTTP
  • AMQP 0.9.1
  • Cassandra
  • Mysql
  • PostgreSQL
  • Redis
  • Thrift-RPC
  • MongoDB
  • Memcache
  • NFS
  • TLS

1. Download and install Npcap. Npcap is a library that uses a driver to enable packet capturing.


2. Download the Packetbeat 6.5.4 64 bit for Windows.


3. Extract the contents of the zip file into C:\Program Files.


4. Rename the packetbeat-6.5.4-windows directory in C:\Program Files to packetbeat.


5. Open a PowerShell prompt as administrator and cd into C:\Program Files.


6. Set the execution policy to be able to run the execution script. Cd into the packetbeat folder and run the following script:

          PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1

The script is case sensitive


7. Configure the Packetbeat

Packetbeat needs to be configured to select the network interface from which to capture the traffic. Run the following command to list the available network interfaces:

.\packetbeat.exe devices

Currently, Packetbeat does not support Multiple interfaces i.e. packetbeat.interfaces.device: any in windows. You must run multiple instances to monitor all of these. 


8. Configure the packetbeat.yml  file with the correct credentials.

Tip: The easiest way to do this is to open the file up in a code editor such as Visual Studio Code.

Network Device

#============================== Network device ================================
# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: 0
This device number has been set according to one of the options from the listed devices in step 7.


Out of the box, Packetbeat will monitor all the following transaction protocols:

If you use any non-standard ports, add them here. Otherwise, the default values should do just fine!

#========================== Transaction protocols =============================
- type: icmp
  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
  enabled: true
- type: amqp
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
  ports: [5672]
- type: cassandra
  #Cassandra port for traffic monitoring.
  ports: [9042]
- type: dhcpv4
  # Configure the DHCP for IPv4 ports.
  ports: [6768]
- type: dns
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]
  # include_authorities controls whether or not the dns.authorities field
  # (authority resource records) is added to messages.
  include_authorities: true
  # include_additionals controls whether or not the dns.additionals field
  # (additional resource records) is added to messages.
  include_additionals: true
- type: http
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [808080800050008002]
- type: memcache
  # Configure the ports where to listen for memcache traffic. You can disable
  # the Memcache protocol by commenting out the list of ports.
  ports: [11211]
- type: mysql
  # Configure the ports where to listen for MySQL traffic. You can disable
  # the MySQL protocol by commenting out the list of ports.
  ports: [3306]
- type: pgsql
  # Configure the ports where to listen for Pgsql traffic. You can disable
  # the Pgsql protocol by commenting out the list of ports.
  ports: [5432]
- type: redis
  # Configure the ports where to listen for Redis traffic. You can disable
  # the Redis protocol by commenting out the list of ports.
  ports: [6379]
- type: thrift
  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
  # the Thrift-RPC protocol by commenting out the list of ports.
  ports: [9090]
- type: mongodb
  # Configure the ports where to listen for MongoDB traffic. You can disable
  # the MongoDB protocol by commenting out the list of ports.
  ports: [27017]
- type: nfs
  # Configure the ports where to listen for NFS traffic. You can disable
  # the NFS protocol by commenting out the list of ports.
  ports: [2049]
- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports: [443]
Kibana Section: 
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"
  username: "<username>"
  password: "<password>"
For PhoenixNap customers, use "" as the host. 
Elasticsearch Section:
#-------------------------- Elasticsearch output ------------------------------
# Array of hosts to connect to.
hosts: ["< API Endpoint>"]
# Optional protocol and basic auth credentials.
protocol: "https"
username: "<username>"
password: "<password>"
9. Test the packetbeat.yml configuration. In the Command Prompt, run the following script in the packetbeat folder:
This command needs to be run in the Command Prompt. Not Powershell! Make sure you open the Command Prompt as Administrator.
packetbeat -e -c packetbeat.yml

Tip: The packetbeat configuration will display in the terminal without any ERROR messages if everything is entered correctly.



10. Setup pre-configured Dashboards in Kibana. 

.\packetbeat.exe setup --dashboards

This will load the pre-configured dashboards and indexing into Kibana automatically.


11.  Run the program in the foreground to make sure everything is setup:

            .\packetbeat.exe -c packetbeat.yml -e -d "*"

This will run Filebeat in the terminal and will continually display any logs being added in real-time. Use CTRL-C to terminate the foreground process.


12. Once the config has been tested and runs without any ERROR messages, install Metricbeat as a service:



13. Test that packetbeat has been installed as a service:

             service packetbeat

Tip: If installed correctly, the terminal will display the Status, Name, and DisplayName.


14. Start the packetbeat service as a background process: 

              start-service packetbeat

Logs should already start appearing in the Discover tab within seconds. You may need to refresh the page.