I am trying to index ICMP packets into elasticseach using Packetbeat. I do know that the current Packetbeat infrastructure just provides support for TCP & UDP plugins, so starting at the transport layer. ICMP is one layer below (network layer) but is there any way in which I could get these data to be indexed.
I tried adding this to packetbeat.yml:
icmp.enabled: true
This is not implemented yet, but an issue has been filed, is still open but is being worked on.
If you don't feel like waiting and want to develop your own extension, you may do so by adding a new protocol yourself.
Related
I have a concox GT06 device from which I want to send tracking data to my AWS Server.
The coding protocol manual that comes with it only explains the data structure and protocol.
How does my server receive the GPS data collected by my tracker?
Verify if your server allows you to open sockets, which most low cost solutions do NOT allow for security reasons (i recommend using an Amazon EC2 virtual machine as your platform).
Choose a port on which your application will listen to incoming data, verify if it is open (if not open it) and code your application (i use C++) to listen to that port.
Compile and run your application on the server (and make sure that it stays alive).
Configure your tracker (usually by sending an sms to it) to send data to your server's IP and to the port which your application is listening to.
If you are, as i suspect you are, just beginning, consider that you will invest 2 to 3 weeks to develop this solution from scratch. You might also consider looking for a predeveloped tracking platform, which may or may not be acceptable in terms of data security.
You can find examples and tutorials online. I am usually very open with my coding and would gladly send a copy of the socket server, but, in this case, for security reasons, i cannot do so.
Instead of direct parsing of TCP or UDP packets you may use simplified solution putting in-between middleware backends specialized in data parsing e.g. flespi.
In such approach you may use HTTP REST API to fetch each new portion of data from trackers sent to you dedicated IP:port (called channel) or even send standardized commands with HTTP REST to connected devices.
At the same time it is possible to open MQTT connection using standard libraries and receive converted into JSON messages from devices as MQTT in real time, which is even better then REST due to almost zero latency.
If you are using python you may take a look at open-source flespi_receiver library. In this approach with 10 lines of code you may have on your EC2 whole parsed into JSON messages from Concox GT06.
I am testing Websocket connectivity over VPN. I see that it is much more stable when using the host name to connect than using the IP address alone.
Could somebody suggest any possible reason for this?
Also, I could nowhere find the nature of Websocket frames, if they are transmitted sequentially or in a random fashion?
WebSocket relies on TCP which orders the data for you. TCP gives you the abstraction of an ordered stream.
WebSocket can either use hostnames or IP addresses. Not quite sure what you mean by "much more stable", but if you are experiencing connectivity issues, it could be your DNS service... or it could be the implementation of WebSocket that you are using.
I tried using Wireshark and filtering on "amqp" but nothing shows up. Does this confirm that no AMQP is coming in/out of my machine or is there some further setup that I need to do to see the AMQP traffic?
There are a couple of reasons Wireshark won't show decoded protocol packets:
Prerequisite protocol plugins aren't enabled
You're using a non-standard port
To check 1 above, you'll need to make sure that the enabled protocols (under Analyze->Enabled Protocols... in the UI menu) includes Ethernet, IPv4/6, and TCP.
As for 2 above, Wireshark won't attempt to identify all protocol on all ports, so protocol plugins specify the ports you can monitor on. For the AMQP plugin the only port you can monitor AMQP packets on is 5672. A lot of Wireshark plugins have a preferences page where you can define the ports to look for that protocol on but the AMQP plugin doesn't (at least it doesn't appear to in latest stable release 1.12.8, although it looks like it has been implemented, perhaps in the development release), so the only way to monitor AMQP traffic is to make sure you're using the default port of 5672.
I'm trying to implements a simple NMS with snmp++ V3.2 api.
The objective is receive SNMP informs over TCP.
The problem is that I only receive Informs over UDP... I implement an Agent in java with SNMP4J API, but only works when i send via UDP.
I have searched for examples but I only find examples With Agent sending traps/informs via UDP to snmp++ manager....
I also find this: http://lists.agentpp.org/pipermail/agentpp/2005-October/003196.html, it is possible TCP communications is not yet implemented in SNMP++?
The big question is, can snmp++ managers receive alerts via TCP ? If yes, does someone have an example/tutorial to show me ?
SNMP over TCP is defined in RFC3430 as an experimental standard. It is not widely adopted, and based on its FAQ SNMP++ does not support it at all,
http://oosnmp.net/confluence/pages/viewpage.action?pageId=7766018
In a recent series of question I have asked alot about UDP, boost::asio and c++ in general.
My latest question, which doesn't seem to have an answer here at Stackoverflow, is this:
In a client/server application, it is quite okay to require that the server open a port in any firewall, so that messages are allowed in. However, doing the same for clients is definately not a great user experience.
TCP-connections typically achieve this due to the fact that most routers support stateful packet inspection, allowing response packets through if the original request originated from the local host.
It is not quite clear to me how this would work with UDP, since UDP is stateless, and there is no such thing as "response packets" (to my knowledge). How should I account for this in my client application?
Thanks for any answers!
UDP itself is stateless, but the firewall typically is not. The convention on UDP is that if a request goes out from client:port_A to server:port_B, then the response will come back from server:port_B to client:port_A.
The firewall can take advantage of this. If it sees a UDP request go out from the client, it adds an entry to its state table that lets it recognise the response(s), to allow them in. Because UDP is stateless and has no indication of connection termination, the firewall will typically implement a timeout - if no traffic occurs between that UDP address pair for a certain amount of time, the association in the firewall's state table is removed.
So - to take advantage of this in your client application, simply ensure that your server sends responses back from the same port that it uses to receive the requests.