The Lumu Virtual Appliance (VA) offers the option to create Collectors, a seamless way to integrate with network metadata. In this quick guide, we show you how to configure Packetbeat in a Windows Server for DNS packet collection.
Figure 1 - Network diagram with Lumu VA Collector for Packetbeat.
The latest Packetbeat version. You can download it from the
The latest Npcap version. We recommend downloading it from the
Npcap is a packet sniffing library required by Packetbeat that sniffs the DNS traffic that passes through the Windows Server network interface.
The Npcap license is not included with Lumu. The Npcap free license allows a limited amount of installations for commercial use. To know more about Npcap licensing, access
Installing Npcap requires executing the installer and following the default steps:
Figure 2 - Keep the default parameters.
Figure 3 - End of the installation process.
Packetbeat is the component in charge of reading and parsing the data captured by Npcap and sending it to the Lumu Virtual Appliance.
In this document, we show the installation procedure on a Windows Server, for other Operating Systems, consult
Elastic’s official guide
1. Extract the content of the .zip file you downloaded into the directory: “C:\Program Files
” and rename the folder as “Packetbeat”.
Figure 4. Packetbeat folder in Program Files.
2. Open the Windows PowerShell as admin and run the following command to install Packetbeat as a service:
cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat>
If you get an alert about a system restriction, you need to set the execution policy for the session by running the following command:
PS C:\Program Files\Packetbeat>
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Figure 5. Packetbeat installation script.
3. To configure Packetbeat, go to the installation folder, e.g
(for Windows) or
(for Linux) and edit the file
. For new installations, we recommend deleting the current content of the file and adding the following content:
Remember to replace the IP and port number with those configured in the Virtual Appliance.
You can run
to get the number of the interface that receives your DNS traffic, then add that number to the configuration file in the parameter
to download the content of the configuration file.
- ##Packetbeat configuration file##
packetbeat.interfaces.device: 0 ##the interface you want to capture traffic
hosts: ["192.168.0.130:50445"] ##The Lumu VA IP and port
client.ip: 192.168.0.135 ##IP of the Packetbeat machine
# logging.level: debug
# logging.to_eventlog: true
4. You can run a test on the new configuration file:
PS C:\Program Files\Packetbeat> .\packetbeat test config
The result should be config ok.
5. Finally, run the following command in PowerShell to start the service:
PS C:\Program Files\Packetbeat> Start-Service packetbeat
Configure the Lumu Collector
Now that you have Packetbeat installed and running, you need to create and activate the collector. For this, go to the
Lumu Portal and make sure you added a “DNS Packets” collector on your Virtual Appliance, as shown in the figure 6.
Figure 6 - Add the DNS Collector in Lumu Portal
Once the collector is created on the Lumu Portal, you must activate it on the Virtual Appliance. For this, go to the Lumu VA console and run the following command:
applianceadmin@lva:~$ lumu-appliance collectors refresh
Follow the instructions and inform the parameters required.
Make sure to set the port parameter as the same as the one you configured in the file (
Figure 7. Virtual Appliance collector update.
Uninstall Packetbeat and Npcap
In case you want to uninstall Packetbeat or Npcap from your Windows Server, follow the next steps:
From Windows PowerShell go to the Packetbeat installation path and execute the following script:
PS C:\Program Files\Packetbeat> .\uninstall-service-packetbeat.ps1
If you get an alert about a system restriction, please add execution permission to the script by typing the following command:
PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Figure 8. Packetbeat uninstall script output.
From the Windows Control Panel, go to “Programs and Features”, choose Npcap from the list and select "Uninstall".
Figure 9 - Uninstalling Npcap.