Collect DNS Packets with Lumu VA and Packetbeat

Collect DNS Packets with Lumu VA and Packetbeat

The Lumu Virtual Appliance  (VA) offers the option to create Collectors, a seamless way to integrate your network metadata into the Lumu platform. For example, where the network has a domain controller acting as a DNS server, those assets can be monitored by a Lumu VA that receives and processes DNS metadata from multiple domain controllers. This approach does not require modifying the network configuration.

In this scenario, Lumu offers the possibility to install a lightweight application (Packetbeat) in the domain controller, which would be in charge of sending the DNS metadata to the Lumu Virtual Appliance. In this quick guide, we show you how to configure Packetbeat in a Windows Server with Npcap for DNS packet collection .

Network diagram with Lumu VA Collector for Packetbeat Network diagram with Lumu VA Collector for Packetbeat

Requirements

  1. The latest Packetbeat version. You can download it from the official website .
  2. The latest Npcap version. We recommend downloading it from the official website .
  3. The most recent version of the Lumu Virtual Appliance installed.
You can check the current version of the virtual appliance using the following command:  lumu-appliance -v . For more information on how to upgrade the Lumu VA, consult  Upgrade Virtual Appliances .
These are the general steps you should follow to configure Packetbeat with Npcap for DNS packet collection:
Steps to configure Packetbeat

Deploy and Set Up Lumu VA

All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

Npcap installation

Npcap is a packet sniffing library required by Packetbeat that sniffs the DNS traffic that passes through the Windows Server network interface.

The Npcap license is not included with Lumu. The Npcap free license allows a limited amount of installations for commercial use. To know more about Npcap licensing, access their website .
Installing Npcap requires executing the installer and following the default steps:
Keep the default parameters Keep the default parameters
End of the installation process End of the installation process

Packetbeat Installation

Packetbeat is the component in charge of reading and parsing the data captured by Npcap and sending it to the Lumu Virtual Appliance.

In this document, we show the installation procedure on a Windows Server, for other Operating Systems, consult Elastic’s official guide .
1. Extract the content of the .zip file you downloaded into the directory: “ C:\Program Files ” and rename the folder as “Packetbeat”.
Packetbeat folder in Program Files Packetbeat folder in Program Files

2. Open Windows PowerShell as admin and run the following command to install Packetbeat as a service:

PS > cd 'C:\Program Files\Packetbeat'
PS C:\Program Files\Packetbeat> .\install-service-packetbeat.ps1

If you get an alert about a system restriction, you need to set the execution policy for the session by running the following command:

PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-packetbeat.ps1
Packetbeat installation script Packetbeat installation script
3. To configure Packetbeat, go to the installation folder, e.g C:/Program Files/Packetbeat  (for Windows) or /usr/share/packetbeat (for Linux) and edit the file packetbeat.yml. For new installations, we recommend deleting the current content of the file and adding the following content:

Replace the interfaces, IPs, and port number with those configured in the Virtual Appliance.  You can run the command below   to get the number of the interface that receives your DNS traffic, then add that number to the configuration file in the parameter packetbeat.interfaces.device.

PS C:\Program Files\Packetbeat>  .\packetbeat devices

Click here  to download the content of the configuration file.
  1. ##Packetbeat configuration file##
    packetbeat.interfaces.device: 0  ##the interface you want to capture traffic
    packetbeat.protocols.dns:
        ports: [53]
    output.logstash:
         hosts: ["192.168.0.130:50445"]  ##The Lumu VA IP and port
    processors:
       - drop_event:
           when:
             equals:
                    client.ip: 192.168.0.135  ##IP of the Packetbeat machine
       - include_fields:
           fields:
              - network.protocol
              - client.ip
              - dns.id
              - dns.op_code
              - dns.response_code
              - dns.question.type
              - dns.question.name
              - dns.question.class
              - dns.flags.authoritative
              - dns.flags.recursion_available
              - dns.flags.truncated_response
              - dns.flags.checking_disabled
              - dns.flags.recursion_desired
              - dns.flags.authentic_data
              - dns.answers
    # logging.level: debug
    # logging.to_eventlog: true
For more details on the configuration settings, consult the Elastic official documentation .
4. You can run a test on the new configuration file:
PS C:\Program Files\Packetbeat> .\packetbeat test config

The result should be  config ok.

5. Finally, run the following command in PowerShell to start the service:

PS C:\Program Files\Packetbeat> Start-Service packetbeat

Configure Lumu VA DNS Packet Collector

Once you have installed and configured a Lumu Virtual Appliance  with the respective DNS Packets collector, and you have Packetbeat installed and running, go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the following command :

applianceadmin@lva:~$ lumu-appliance collectors refresh

If the appliance is running, it should be stopped for setting up collectors. Follow the instructions and inform the parameters required.

Make sure to set the port parameter as the same as the one you configured in the file ( packetbeat.yml).
Virtual Appliance collector update Virtual Appliance collector update

Uninstall Packetbeat and Npcap

In case you want to uninstall Packetbeat or Npcap from your Windows Server, follow the next steps:

Uninstall Packetbeat

From Windows PowerShell go to the Packetbeat installation path and execute the following script:

PS C:\Program Files\Packetbeat> .\uninstall-service-packetbeat.ps1

If you get an alert about a system restriction, please add execution permission to the script by typing the following command:

PS C:\Program Files\Packetbeat> PowerShell.exe -ExecutionPolicy UnRestricted -File .\uninstall-service-packetbeat.ps1

Packetbeat uninstall script outuput Packetbeat uninstall script output
Uninstall Npcap

From the Windows Control Panel, go to “Programs and Features”, choose Npcap from the list and select "Uninstall".

Uninstalling Npcap Uninstalling Npcap

        • Related Articles

        • Virtual Appliance Collectors

          The Lumu Virtual Appliance (VA) offers the option to create VA Collectors, a seamless way to collect the network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation. In this quick guide, ...
        • Collect Metadata with Lumu VA

          The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation.  Collecting metadata other than ...
        • Collect DNS Queries with Lumu VA and Infoblox

          The Lumu Virtual Appliance (VA) offers a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. In the scenario where your company is not using the Virtual ...
        • Set Lumu as primary network DNS Resolver on Virtual Appliances

          The Lumu Virtual Appliance (VA) offers a seamless way to integrate the network metadata of your entire enterprise into the Lumu platform. You can easily deploy and set up a Lumu Virtual appliance to collect DNS network metadata through the Virtual ...
        • Deploy Lumu VA in VirtualBox

          Lumu Virtual Appliance (VA) is a virtualized machine that provides you with all the elements required to collect network metadata to provide you with maximum visibility when it comes to identifying compromised network endpoints within your ...