Packetbeat 是一个实时网络数据包分析工具，与elasticsearch一体来提供应用程序的监控和分析系统。
Packetbeat通过嗅探应用服务器之间的网络通讯，来解码应用层协议类型如HTTP、MySQL、redis等等，关联请求与响应，并记录每个事务有意义的字段。
packetbeat是根据监听主机的网卡对应的接口来进行流量监控。对nginx流量进行监听，需要将packetbeat安装在nginx主机上，通过配置输出到elasticsearch来进行分析，同时也支持输出到kafka、redis(不推荐)或logstash。
packetbeat支持协议及端口有：

- type: icmp

- type: amqp
  ports: [5672]

- type: cassandra
  ports: [9042]

- type: dhcpv4
  ports: [67, 68]
  
- type: dns
  ports: [53]

- type: http
  ports: [80, 8080, 8000, 5000, 8002]
  
- type: memcache
  ports: [11211]

- type: mysql
  ports: [3306,3307]

- type: pgsql
  ports: [5432]

- type: redis
  ports: [6379]

- type: thrift
  ports: [9090]

- type: mongodb
  ports: [27017]

- type: nfs
  ports: [2049]

- type: tls
  ports:
    - 443   # HTTPS
    - 993   # IMAPS
    - 995   # POP3S
    - 5223  # XMPP over SSL
    - 8443
    - 8883  # Secure MQTT
    - 9243  # Elasticsearch

安装packetbeat的教程网上已经有很多，在这里不做赘述，列官网参考

我的目的主要是对nginx进行流量监控，只需要开启对应的http与https接口即可。

由于默认的packetbeat配置未开启对request和response bady的解析，通过在http端口下面，配置如下，来对http协议进行详细的拆分

- type: http
  ports: [80, 8080, 8000, 5000, 8002]

 #http端口下配置
  split_cookie: true
  send_all_headers: true
  send_request: true
  send_response: true
  include_body_for: ["text/html","text/plain","text/xml","application/xhtml+xml","application/xml","application/atom+xml","application/json"]

启动后对http协议在kibana上展示效果如下所示：