Requirements
- The latest Packetbeat version. You can download it from the official website.
- The latest Npcap version. We recommend downloading it from the official website.
- The most recent version of the Lumu Virtual Appliance installed.
You can check the current version of the virtual appliance using the following command:
lumu-appliance -v . For more information on how to upgrade the Lumu VA, consult
Upgrade Virtual Appliances.
These are the general steps you should follow to configure Packetbeat with Npcap for DNS packet collection:
Deploy and Set Up Lumu VA
All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:
Npcap installation
Npcap is a packet sniffing library required by Packetbeat that sniffs the DNS traffic that passes through the Windows Server network interface.
The Npcap license is not included with Lumu. The Npcap free license allows a limited amount of installations for commercial use. To know more about Npcap licensing, access
their website.
Installing Npcap requires executing the installer and following the default steps:
Keep the default parameters
End of the installation process
Packetbeat Installation
Packetbeat is the component in charge of reading and parsing the data captured by Npcap and sending it to the Lumu Virtual Appliance.
In this document, we show the installation procedure on a Windows Server, for other Operating Systems, consult
Elastic’s official guide.
1. Extract the content of the .zip file you downloaded into the directory: “ C:\Program Files ” and rename the folder as “Packetbeat”.
Packetbeat folder in Program Files
2. Open Windows PowerShell as admin and run the following command to install Packetbeat as a service:
PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1
If you get an alert about a system restriction, you need to set the execution policy for the session by running the following command:
PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Packetbeat installation script
3. To configure Packetbeat, go to the installation folder, e.g C:/Program Files/Packetbeat (for Windows) or /usr/share/packetbeat (for Linux) and edit the file packetbeat.yml . For new installations, we recommend deleting the current content of the file and adding the following content:
Replace the interfaces, IPs, and port number with those configured in the Virtual Appliance. You can run the following command to get the number of the interface that receives your DNS traffic, then add that number to the configuration file in the parameter packetbeat.interfaces.device.
.\packetbeat devices
Click here to download the content of the configuration file.
- ##Packetbeat configuration file##
packetbeat.interfaces.device: 0 ##the interface you want to capture traffic
packetbeat.protocols.dns:
ports: [53]
output.logstash:
hosts: ["192.168.0.130:50445"] ##The Lumu VA IP and port
processors:
- drop_event:
when:
equals:
client.ip: 192.168.0.135 ##IP of the Packetbeat machine
- include_fields:
fields:
- network.protocol
- client.ip
- dns.id
- dns.op_code
- dns.response_code
- dns.question.type
- dns.question.name
- dns.question.class
- dns.flags.authoritative
- dns.flags.recursion_available
- dns.flags.truncated_response
- dns.flags.checking_disabled
- dns.flags.recursion_desired
- dns.flags.authentic_data
- dns.answers
# logging.level: debug
# logging.to_eventlog: true
4. You can run a test on the new configuration file:
PS C:\Program Files\Packetbeat> .\packetbeat test config
The result should be config ok.
5. Finally, run the following command in PowerShell to start the service:
PS C:\Program Files\Packetbeat> Start-Service packetbeat
Once you have installed and configured a Lumu Virtual Appliance with the respective DNS Packets collector, and you have Packetbeat installed and running, go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the following command :
applianceadmin@lva:~$ lumu-appliance collectors refresh
If the appliance is running, it should be stopped for setting up collectors. Follow the instructions and inform the parameters required.
Make sure to set the port parameter as the same as the one you configured in the file ( packetbeat.yml ).
Virtual Appliance collector update
Uninstall Packetbeat and Npcap
In case you want to uninstall Packetbeat or Npcap from your Windows Server, follow the next steps:
Uninstall Packetbeat
From Windows PowerShell go to the Packetbeat installation path and execute the following script:
PS C:\Program Files\Packetbeat> .\uninstall-service-packetbeat.ps1
If you get an alert about a system restriction, please add execution permission to the script by typing the following command:
PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Packetbeat uninstall script outuput
Uninstall Npcap
From the Windows Control Panel, go to “Programs and Features”, choose Npcap from the list and select "Uninstall".
Uninstalling Npcap