A lot of packets not making it into Kibana

[w4rc0n]

I'm using SO 2.3.21, and I've noticed that I'm missing a lot of data that I have confirmed is coming across the port mirror from my switch. For example:

If I SSH from 192.168.1.10 to 192.168.2.3 and the packets are tagged with vlan 100, that data never shows up in SOC, or Kibana.

I know that zeek and stenographer have issues seeing the vlan tag on packets that it gets, because the kernal strips them at a lower level, but that implies that zeek and steno should still be seeing the packet data.

Am I misunderstanding that warning? I can't see any VLAN tagged traffic across any Security Onion tools.

My BPF looks like this with IPs changed:

[TOoSmOotH]

What do you see when you type the following:

sudo tcpdump -nni bond0 -e vlan

[w4rc0n]

Actually, I don't think it's related to VLANs. There is a ton of SSH traffic when using tcpdump like you said with 'vlan' and 'not vlan' BPFs on bond0 on the sensor, but only like 1% of it shows up in kibana. There are thousands of SSH connections happening per minute on the networks being monitored via port mirror, but kibana is only showing SSH connections from very specific hosts.

Grafana shows no capture or packet loss for the sensor. I am at a loss for why some traffic is just not being processed.

[w4rc0n]

@TOoSmOotH Did a full reinstall but am still struggling with this.

[TOoSmOotH]

Zeek is tracking sessions not the packets. Are you missing specific IP and port pairs?

[w4rc0n]

@TOoSmOotH It's hard to nail down, I have about a third of a /24 and a /23 subnet not reporting. I have a /23 subnet and of that subnet I have one machine making probably 40-50 SSH sessions a day, and literally only 1 of those made it into Kibana via Zeek.

There's a full gigabit of traffic I'm monitoring, and I get a lot of data, but I've noticed sessions like SSH getting vastly ignored by zeek. Grafana indicates packet loss on the sensor as nominal.