hi guys

I transfer a SPAN port Cisco 2960 to a VM machine (windows 2016 )
and i see traffic interface in vm machine with wireshark on the OS windows 2016 .
VM . has tow interfaces with IP 192.168.0.112,113 range
I can’t send traffic into Graylog server (version 3.1)with Packetbeat collector sidecar .
who faced with this such scenario or Probleam ?
please guide me .

++++++++++++++++++++++++++++++++++++++++++++++++++++

My colleagues and I have solved the issue.

1. Find a spare NIC on a vSphere host

2. Connect the spare NIC to a port on the same switch as the port you want to monitor.

3. Configure a new Standard vSwitch on the vSphere host

4. Attach the spare vmnic to the vSwitch

5. Configure the vSwitch to allow promiscuous mode

6. Create an untagged Port Group called SPAN Target

7. Connect a VM running a sniffer to the Port Group

8. Configure a SPAN session using the spare vmnic’s switchport as the SPAN target

9. Start the sniffer and you should be capturing traffic from the physical port
   10 config sidecar

   config packetbeat Sidecar
   ###########################################################

   Needed for Graylog

   fields_under_root: true
   fields.collector_node_id: {sidecar.nodeName} fields.gl2_source_collector: {sidecar.nodeId}
   path:
   data: C:\Program Files\Graylog\sidecar\cache\packetbeat\data
   logs: C:\Program Files\Graylog\sidecar\logs
   tags:

   • windows
     packetbeat.interfaces:
     device: 0
     packetbeat.protocols:
     dns:
     ports: [53]
     include authorities: true
     include additionals: true
     http:
     ports: [80, 8080, 8000, 5000, 8002]
     dhcpv4:
     ports: [67, 68]
     tls:
     ports: [443, 993, 995]
     output:
     logstash:
     hosts: [“192.168.0.57:7777”]
     #####################################################

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.