FW: 7297+
PCAP2JSON v2: Ver:606+
By default pcap2json does not support HTTPS / TLS connections as it severely reduces the ES push performance. As a work around you can use NGINX as a proxy to receive HTTP and send HTTPS to the destination end point, As shown below
In this example we are configuring FMADIO100G system running pcap2json v2 pushing over TLS to a cloud ElasticStack instance hosted by elastic.io
Configuring pcap2json for this is fairly simple start by configuring the nginx proxy as follows in the file
If the WWW section has not been created, please add as shown below. Replace the Endpoint + API Key with your own
Please refer to https://www.elastic.co/guide/en/kibana/master/api-keys.html for documentation on how to generate Elastic Search API Keys
For the above configuration to take effect, need to reload nginx by doing the following
After killing the process it may take up to 1 minute for nginx to respawn and be up and running
Next check the TLS proxy is working correctly by querying the ES Node for a valid response.
Note we are using http to get the cluster status, the URI prefix uses the nginx running on the FMADIO system to proxy and output HTTPS connection to our ES EndPoint usually on a WAN or internet facing IP.
A correct example output looks like the following
If this is not the correct result, check the nginx logfile per below for trouble shooting
Configuring pcap2json is quite simple, because HTTPS/TLS push is less performant, we need to restrict the total number of con-current ES push operations, as follows
Next change the --es-host target as follows
In addition we need to prefix all URI requests so FMADIO nginx will route it correctly
Save it and pcap2json will run as normal but push to your remote ES cluster using HTTPS/TLS.
Any issues check the logfile below for problems + the same nginx error logfile as above
Following is a full backend example configuration file for reference.