Collect DNS Packets with Lumu VA and Packetbeat

Collect DNS Packets with Lumu VA and Packetbeat

Requirements

  1. The latest Packetbeat version. You can download it from the official website.
  2. The latest Npcap version. We recommend downloading it from the official website.
  3. The most recent version of the Lumu Virtual Appliance installed.
You can check the current version of the virtual appliance using the following command:  lumu-appliance -v . For more information on how to upgrade the Lumu VA, consult  Upgrade Virtual Appliances.
These are the general steps you should follow to configure Packetbeat with Npcap for DNS packet collection:
Steps to configure Packetbeat

Deploy and Set Up Lumu VA

All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

Npcap installation

Npcap is a packet sniffing library required by Packetbeat that sniffs the DNS traffic that passes through the Windows Server network interface.

The Npcap license is not included with Lumu. The Npcap free license allows a limited amount of installations for commercial use. To know more about Npcap licensing, access their website.
Installing Npcap requires executing the installer and following the default steps:
Keep the default parametersKeep the default parameters
End of the installation processEnd of the installation process

Packetbeat Installation

Packetbeat is the component in charge of reading and parsing the data captured by Npcap and sending it to the Lumu Virtual Appliance.

In this document, we show the installation procedure on a Windows Server, for other Operating Systems, consult Elastic’s official guide.
1. Extract the content of the .zip file you downloaded into the directory: “ C:\Program Files ” and rename the folder as “Packetbeat”.
Packetbeat folder in Program Files Packetbeat folder in Program Files

2. Open Windows PowerShell as admin and run the following command to install Packetbeat as a service:

PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1

If you get an alert about a system restriction, you need to set the execution policy for the session by running the following command:

PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Packetbeat installation script Packetbeat installation script
3. To configure Packetbeat, go to the installation folder, e.g C:/Program Files/Packetbeat  (for Windows) or /usr/share/packetbeat (for Linux) and edit the file packetbeat.yml . For new installations, we recommend deleting the current content of the file and adding the following content:

Replace the interfaces, IPs, and port number with those configured in the Virtual Appliance.  You can run the following command   to get the number of the interface that receives your DNS traffic, then add that number to the configuration file in the parameter packetbeat.interfaces.device.

.\packetbeat devices
Click here to download the content of the configuration file.
  
  1. ##Packetbeat configuration file## packetbeat.interfaces.device: 0 ##the interface you want to capture traffic packetbeat.protocols.dns: ports: [53] output.logstash: hosts: ["192.168.0.130:50445"] ##The Lumu VA IP and port processors: - drop_event: when: equals: client.ip: 192.168.0.135 ##IP of the Packetbeat machine - include_fields: fields: - network.protocol - client.ip - dns.id - dns.op_code - dns.response_code - dns.question.type - dns.question.name - dns.question.class - dns.flags.authoritative - dns.flags.recursion_available - dns.flags.truncated_response - dns.flags.checking_disabled - dns.flags.recursion_desired - dns.flags.authentic_data - dns.answers # logging.level: debug # logging.to_eventlog: true
For more details on the configuration settings, consult the Elastic official documentation.
4. You can run a test on the new configuration file:
PS C:\Program Files\Packetbeat> .\packetbeat test config

The result should be  config ok.

5. Finally, run the following command in PowerShell to start the service:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

Configure Lumu VA DNS Packet Collector

Once you have installed and configured a Lumu Virtual Appliance with the respective DNS Packets collector, and you have Packetbeat installed and running, go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the following command :

applianceadmin@lva:~$ lumu-appliance collectors refresh

If the appliance is running, it should be stopped for setting up collectors. Follow the instructions and inform the parameters required.

Make sure to set the port parameter as the same as the one you configured in the file ( packetbeat.yml ).
Virtual Appliance collector updateVirtual Appliance collector update

Uninstall Packetbeat and Npcap

In case you want to uninstall Packetbeat or Npcap from your Windows Server, follow the next steps:

Uninstall Packetbeat

From Windows PowerShell go to the Packetbeat installation path and execute the following script:

PS C:\Program Files\Packetbeat> .\uninstall-service-packetbeat.ps1

If you get an alert about a system restriction, please add execution permission to the script by typing the following command:

PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1

Packetbeat uninstall script outuputPacketbeat uninstall script outuput
Uninstall Npcap

From the Windows Control Panel, go to “Programs and Features”, choose Npcap from the list and select "Uninstall".

Uninstalling Npcap Uninstalling Npcap

        • Related Articles

        • Lumu Virtual Appliance DNS Packets Collectors Catalog

          Before attempting this type of implementation, we strongly suggest checking out our Lumu Agent for Windows Server , which can act as a DNS server collector and covers the vast majority of the scenarios of this VA implementation (Windows Server 2016 ...
        • Lumu Virtual Appliance DNS Queries Collectors Catalog

          In the following table, you will find a complete list of DNS Queries Collectors available for deployment as part of Lumu's Virtual Appliances. Collector Logo Collect DNS Queries with Lumu VA and Infoblox Collect DNS Queries with Lumu VA and Citrix ...
        • Collect Metadata with Lumu VA

          The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. Collecting metadata other than ...
        • Lumu Virtual Appliance Collectors

          To get started with Lumu Virtual Appliances, consult our Introduction to Lumu Virtual Appliances article. The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution that collects the network metadata of your entire ...
        • Collect DNS Queries with Lumu VA and Infoblox

          Requirements Infoblox NIOS version 8.4+. Admin access to specify syslog servers on Infoblox NIOS. The most recent version of the Lumu Virtual Appliance installed. You can check the current version of the virtual appliance using the following command: ...