Description

Packetbeat's Documentation includes configuration options that are not included in the integration (at least with managed agents).

• packetbeat.interfaces.with_vlans

...[I]f the traffic contains VLAN tags, the filter that Packetbeat generates is ineffective because the offset is moved by four bytes. To fix this, you can enable the with_vlans option, which generates a BPF filter that looks like this: "port 80 or port 3306 or (vlan and (port 80 or port 3306))"

Aside from fixing that issue,this would also enrich the event with extra information. These fields are included in the exported fields list, but they're not in any of the generated sample events.

• packetbeat.ignore_outgoing

Allow users to toggle whether outgoing packets are included. This would support scenarios where only inbound traffic is wanted, or avoiding duplicate captures if both source and destination are running packet capture

Proposed Enhancement

Include toggles in the package manifest for Network Packet Capture to enable/disable the with_vlans and ignore_outgoing configuration options.