Ask Your Question

Rogue Elasticstack, replacing all protocols with Elasticstack

asked 2023-02-19 18:03:30 +0000

I was capturing traffic through ethernet, when all of a sudden every single packet coming through turned into protocol Elasticstack, and all the fields appeared to be encrypted. I dont have Elasticstack. I contacted Elasticstack regarding this issue, they told me to reach out to Wireshark. So since you dont have any contact information at your company Wireshark, I feel this is the best place to start. Please explain to me what would cause this to happen. If packets never lie, then there might be something of value to learn from this. Thankyou.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2023-02-20 12:13:52 +0000

Jaap gravatar image

The Elasticsearch dissector uses UDP port 54328 and TCP port 9300 by default. UDP and TCP packets using these ports run the risk of being mislabeled like this. Simplest way to solve this, since you do not deploy Elasticsearch, is to simple disable the Elasticsearch protocol, through the menu Analyze | Enabled protocols..., search for Elasticsearch in that dialog and uncheck the protocol.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2023-02-19 18:03:30 +0000

Seen: 106 times

Last updated: Feb 20