Network Packet Capture GA Blockers

[jamiehynds]

Our 'Network Packet Capture' experimental integration shipped in 7.15, allowing users to capture network traffic using Elastic Agent, with Packetbeat running under the hood. Before moving the integration to Beta/GA, we will use this meta issue to capture relevant enhancements:

• Deploying npcap with Network Packet Capture integration #2132
• Add dashboards to integration (including new maps)
• Network Packet Capture - Protocol Settings #2860
• Add option for processors within the integration inline with other integrations (e.g. dropping events)
• Documentation/integration description

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

Dashboards have been added (#2762) and the package marked as beta (#2903). The pending task to go GA is to add the configuration options that are specific to the each protocol plugin (e.g. include_raw_certificates for TLS).

• Network Packet Capture - Protocol Settings #2860

[eric-ooi]

Any timeline for when the aarch64 flavor of packetbeat will be available? Just switched out my macOS 8.2 agent to the aarch64 release and noticed it not deploying properly. Searching through the logs and confirming on the downloads page that it's because packetbeat isn't available for aarch64 yet. :(

[andrewkroh]

See elastic/beats#21855 for tracking M1 support.

[epixa]

It looks like the protocol task is done. Is this package ready for GA? @andrewkroh @efd6

[jamiehynds]

The docs still need some work, as we just list the exported fields today and don't provide any guidance around configuration traffic capture options and the settings available for each protocol. It could be as simple as copying most of the current Packetbeat documentation. This isn't a blocker GA, just something we'll need to address.

[efd6]

I'll do that today.

[efd6]

Looking through the packetbeat docs we currently don't expose the configurations for packetbeat.interfaces.* beyond file and device. Do we want to expose those (e.g. type, buffer_size_mb, snaplen...)? I think probably not in the first instance since in the context of integrations over a set of hosts managed by fleet they add potential for a bad user experience.

[jamiehynds]

@efd6 Agreed, fine to not expose for now. Don't envisage strong demand to expose them either, but we can revisit down the line if needed.

[efd6]

@jamiehynds Please take a look at the docs added at #3371.

[jamiehynds]

sorry for the delay @efd6 - I just added a comment to expand on the integration description. Otherwise, LGTM.

[epixa]

This is now GA

[Lokey92]

Was this tested for Windows 10 machines before it became GA?