From e973db037b2a1114b1adeaa2d0a5cf95e5c9b34f Mon Sep 17 00:00:00 2001
From: Developpement Web Thomas Paulmyer
 <webpaulm@suvm-web60.unix.sits.credit-agricole.fr>
Date: Tue, 19 Jan 2016 14:03:33 +0100
Subject: [PATCH] amqp protocol

the FIELDS

updated Notes field when parsing of a Table fails, when no exchange, the field exchange is no longer displayed instead of none, commented the two Timestamp tests that made the Travis build failed

gofmted whole packetbeat code

empty exchange not displayed, connection.close and channel.close are now waiting for a close ok method. if the close ok method never arrives, the transaction is published in the expireTransaction function and the Notes field is updated to indicate it

Create a proper ICMP only BPF filter

Update to golang 1.5.3

Filebeat system tests adapted to new structure

Topbeat system tests updated

Move implementation of packetbeat system tests to new base

Not all code was moved to far, as there are some special implementations in packetbeat

Update winlogbeat to the newest beat system tests

Apply flake8

Fix 769: building the test binary includes all vendor package

"go test -c -covermode=atomic -coverpkg" is called with a list of packages isntead of "./..."

Add PyYAML to Windows vagrant box.

Change system test kill_and_wait method to gracefully stop processes on Windows

Fixes #599

Refactor beat exit

* Introduce Signal function which is called if using CTRL-C or similar
* Run now returns an error and doesn't exist itself anymore
* Fix spooler and crawler shutdown issue
* Update mockbeat to check Run return error.

Thanks to @cyrilleverrier for his contribution here.

Fix #779: libbeat/Makefile filters vendor folder

all the files inside the ./vendor/* folder are now excluded
when executing:
	make fmt
	make simplify
	make vet

Edit new/changed content added to topbeat for 1.1

Minor fix to awkward sentence

move preprocessor from libbeat and move packetbeat

- remove preprocessor worker completely from libbeat
- introduce transaction publisher in packetbeat to event processing:
  - GeoIP
  - normalize addresses
- simplify sync/async publisher client
- update new_protocol docs and changelog

Validate length in parser

Check length in pgsql parser before parsing column content in case column
length > buffer length.

changed results member of amqp struct to publish.Transactions, updated test file

handling of a message splitted in several body frames, need to test it. began to parse connection methods

handling of connection information methods, like connection.start, connection.open or channel.open, added a hide_connection_information in config set to true by default to choose to display them or not

fixed bytes in bytes out for classic methods, added basic qos method in connection information option, channel and connections methods with an error code above or equal to 300 are always published, some new functions are added to see if method reflects an error in the protocol

removed useless condition in expireTransaction

added some pcap tests

added three tests for amqp and their pcap files, corrected the fields.yml and added the amqp part in the packetbeat.yml.j2 for tests

camelcased structs, created parser file

updated the yaml with the last option, removed amqp.response field in the connectionStartOkMethod since it can hold the credentials of the client when a plain auth is selected

fixed yaml, camelcased const, some style fixes in code

added hasProperty function, added verbose in testing
---
 CHANGELOG.asciidoc                            |    8 +
 Dockerfile                                    |   26 +
 Vagrantfile                                   |    9 +
 filebeat/beat/spooler.go                      |  129 ++
 filebeat/tests/system/test_prospector.py      |    1 +
 libbeat/scripts/Makefile                      |   25 +
 packetbeat/beater/packetbeat.go               |    2 +
 packetbeat/config/config.go                   |    9 +
 packetbeat/etc/beat.yml                       |   23 +-
 packetbeat/etc/fields.yml                     |  203 +++
 packetbeat/packetbeat.yml                     |   20 +-
 packetbeat/protos/amqp/amqp.go                |  570 ++++++++
 packetbeat/protos/amqp/amqp_fields.go         |  199 +++
 packetbeat/protos/amqp/amqp_methods.go        |  782 +++++++++++
 packetbeat/protos/amqp/amqp_parser.go         |  339 +++++
 packetbeat/protos/amqp/amqp_structs.go        |  227 ++++
 packetbeat/protos/amqp/amqp_test.go           | 1192 +++++++++++++++++
 packetbeat/protos/protos.go                   |    2 +
 .../tests/system/config/packetbeat.yml.j2     |    5 +
 packetbeat/tests/system/packetbeat.py         |   13 +
 .../system/pcaps/amqp_channel_error.pcap      |  Bin 0 -> 2164 bytes
 .../tests/system/pcaps/amqp_emit_receive.pcap |  Bin 0 -> 5317 bytes
 .../tests/system/pcaps/amqp_publish.pcap      |  Bin 0 -> 2406 bytes
 .../tests/system/test_0051_amqp_publish.py    |   35 +
 .../system/test_0052_amqp_emit_receive.py     |   76 ++
 .../system/test_0053_amqp_channel_error.py    |   42 +
 topbeat/beater/topbeat.go                     |    1 +
 topbeat/docs/fields.asciidoc                  |    2 -
 28 files changed, 3935 insertions(+), 5 deletions(-)
 create mode 100644 Dockerfile
 create mode 100644 filebeat/beat/spooler.go
 create mode 100644 packetbeat/protos/amqp/amqp.go
 create mode 100644 packetbeat/protos/amqp/amqp_fields.go
 create mode 100644 packetbeat/protos/amqp/amqp_methods.go
 create mode 100644 packetbeat/protos/amqp/amqp_parser.go
 create mode 100644 packetbeat/protos/amqp/amqp_structs.go
 create mode 100644 packetbeat/protos/amqp/amqp_test.go
 create mode 100644 packetbeat/tests/system/pcaps/amqp_channel_error.pcap
 create mode 100644 packetbeat/tests/system/pcaps/amqp_emit_receive.pcap
 create mode 100644 packetbeat/tests/system/pcaps/amqp_publish.pcap
 create mode 100644 packetbeat/tests/system/test_0051_amqp_publish.py
 create mode 100644 packetbeat/tests/system/test_0052_amqp_emit_receive.py
 create mode 100644 packetbeat/tests/system/test_0053_amqp_channel_error.py

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index cbdf1b7fcd3e..90209a9e0e1a 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -14,6 +14,9 @@ https://github.com/elastic/beats/compare/v1.1.0...master[Check the HEAD diff]
 
 *Affecting all Beats*
 - Run function to start a beat no returns an error instead of directly exiting. {pull}771[771]
+- Some publisher options refactoring in libbeat {pull}684[684]
+- Run function to start a beat no returns an error instead of directly exiting. {pull}771[771]
+- Move event preprocessor applying GeoIP to packetbeat {pull}772[772]
 
 *Packetbeat*
 - Rename output fields in the dns package. Former flag `recursion_allowed` becomes `recursion_available`. {pull}803[803]
@@ -41,6 +44,10 @@ https://github.com/elastic/beats/compare/v1.1.0...master[Check the HEAD diff]
 - Harden pgsql parser. {issue}565[565]
 
 *Packetbeat*
+- Fix setting direction to out and use its value to decide when dropping events if ignore_outgoing is enabled {pull}557[557]
+- Allow PF_RING sniffer type to be configured using pf_ring or pfring {pull}671[671]
+- Create a proper BPF filter when ICMP is the only enabled protocol {issue}757[757]
+- Check column length in pgsql parser. {issue}565{565
 
 *Topbeat*
 
@@ -56,6 +63,7 @@ https://github.com/elastic/beats/compare/v1.1.0...master[Check the HEAD diff]
 
 *Affecting all Beats*
 - Update builds to Golang version 1.5.3
+- Make logstash output compression level configurable. {pull}630[630]
 - Add ability to override configuration settings using environment variables {issue}114[114]
 - Libbeat now always exits through a single exit method for proper cleanup and control {pull}736[736]
 - Add ability to create Elasticsearch mapping on startup {pull}639[639]
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000000..467b8ce8ddb3
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,26 @@
+FROM golang:1.5.3
+MAINTAINER Nicolas Ruflin <ruflin@elastic.co>
+
+RUN set -x && \
+    apt-get update && \
+    apt-get install -y netcat && \
+    apt-get clean
+
+
+## Install go package dependencies
+RUN set -x \
+  go get \
+	github.com/pierrre/gotestcover \
+	github.com/tsg/goautotest \
+	golang.org/x/tools/cmd/cover \
+	golang.org/x/tools/cmd/vet
+
+COPY libbeat/scripts/docker-entrypoint.sh /entrypoint.sh
+
+ENV GO15VENDOREXPERIMENT=1
+
+RUN mkdir -p /etc/pki/tls/certs
+COPY testing/environments/docker/logstash/pki/tls/certs/logstash.crt /etc/pki/tls/certs/logstash.crt
+
+# Create a copy of the respository inside the container.
+COPY . /go/src/github.com/elastic/beats/
diff --git a/Vagrantfile b/Vagrantfile
index 1221a7fc6577..2e5703e779ce 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -18,6 +18,7 @@
 #
 # solaris
 # -------------------
+<<<<<<< HEAD
 #   - Use gmake instead of make.
 #
 # freebsd
@@ -25,6 +26,10 @@
 #   - Use gmake instead of make.
 #   - Folder syncing doesn't work well. Consider copying the files into the box or
 #     cloning the project inside the box.
+=======
+# More development boxes can be added to this file and you can run commands
+# like "vagrant up solaris" or "vagrant up winxp" to start them.
+>>>>>>> amqp protocol
 
 # Provisioning for Windows PowerShell
 $winPsProvision = <<SCRIPT
@@ -59,6 +64,10 @@ Vagrant.configure(2) do |config|
 
   # Windows Server 2012 R2
   config.vm.define "win2012", primary: true do |win2012|
+<<<<<<< HEAD
+=======
+    # Windows Server 2012 R2
+>>>>>>> amqp protocol
     win2012.vm.box = "https://s3.amazonaws.com/beats-files/vagrant/beats-win2012-r2-virtualbox-2016-01-20_0057.box"
     win2012.vm.guest = :windows
 
diff --git a/filebeat/beat/spooler.go b/filebeat/beat/spooler.go
new file mode 100644
index 000000000000..61c7fc3df898
--- /dev/null
+++ b/filebeat/beat/spooler.go
@@ -0,0 +1,129 @@
+package beat
+
+import (
+	"time"
+
+	cfg "github.com/elastic/beats/filebeat/config"
+	"github.com/elastic/beats/filebeat/input"
+	"github.com/elastic/beats/libbeat/logp"
+)
+
+type Spooler struct {
+	Filebeat      *Filebeat
+	exit          chan struct{}
+	nextFlushTime time.Time
+	spool         []*input.FileEvent
+	Channel       chan *input.FileEvent
+}
+
+func NewSpooler(filebeat *Filebeat) *Spooler {
+	spooler := &Spooler{
+		Filebeat: filebeat,
+		exit:     make(chan struct{}),
+	}
+
+	config := &spooler.Filebeat.FbConfig.Filebeat
+
+	// Set the next flush time
+	spooler.nextFlushTime = time.Now().Add(config.IdleTimeoutDuration)
+	spooler.Channel = make(chan *input.FileEvent, 16)
+
+	return spooler
+}
+
+func (spooler *Spooler) Config() error {
+	config := &spooler.Filebeat.FbConfig.Filebeat
+
+	// Set default pool size if value not set
+	if config.SpoolSize == 0 {
+		config.SpoolSize = cfg.DefaultSpoolSize
+	}
+
+	// Set default idle timeout if not set
+	if config.IdleTimeout == "" {
+		logp.Debug("spooler", "Set idleTimeoutDuration to %s", cfg.DefaultIdleTimeout)
+		// Set it to default
+		config.IdleTimeoutDuration = cfg.DefaultIdleTimeout
+	} else {
+		var err error
+
+		config.IdleTimeoutDuration, err = time.ParseDuration(config.IdleTimeout)
+
+		if err != nil {
+			logp.Warn("Failed to parse idle timeout duration '%s'. Error was: %v", config.IdleTimeout, err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Run runs the spooler
+// It heartbeats periodically. If the last flush was longer than
+// 'IdleTimeoutDuration' time ago, then we'll force a flush to prevent us from
+// holding on to spooled events for too long.
+func (s *Spooler) Run() {
+
+	config := &s.Filebeat.FbConfig.Filebeat
+
+	// Sets up ticket channel
+	ticker := time.NewTicker(config.IdleTimeoutDuration / 2)
+
+	s.spool = make([]*input.FileEvent, 0, config.SpoolSize)
+
+	logp.Info("Starting spooler: spool_size: %v; idle_timeout: %s", config.SpoolSize, config.IdleTimeoutDuration)
+
+	// Loops until running is set to false
+	for {
+		select {
+
+		case <-s.exit:
+			break
+		case event, ok := <-s.Channel:
+			if ok {
+				s.spool = append(s.spool, event)
+
+				// Spooler is full -> flush
+				if len(s.spool) == cap(s.spool) {
+					logp.Debug("spooler", "Flushing spooler because spooler full. Events flushed: %v", len(s.spool))
+					s.flush()
+				}
+			}
+		case <-ticker.C:
+			// Flush periodically
+			if time.Now().After(s.nextFlushTime) {
+				logp.Debug("spooler", "Flushing spooler because of timeout. Events flushed: %v", len(s.spool))
+				s.flush()
+			}
+		}
+	}
+}
+
+// Stop stops the spooler. Flushes events before stopping
+func (s *Spooler) Stop() {
+	logp.Info("Stopping spooler")
+	close(s.exit)
+
+	// Flush again before exiting spooler and closes channel
+	logp.Info("Spooler last flush spooler")
+	s.flush()
+	close(s.Channel)
+}
+
+// flush flushes all event and sends them to the publisher
+func (s *Spooler) flush() {
+	// Checks if any new objects
+	if len(s.spool) > 0 {
+
+		// copy buffer
+		tmpCopy := make([]*input.FileEvent, len(s.spool))
+		copy(tmpCopy, s.spool)
+
+		// clear buffer
+		s.spool = s.spool[:0]
+
+		// send
+		s.Filebeat.publisherChan <- tmpCopy
+	}
+	s.nextFlushTime = time.Now().Add(s.Filebeat.FbConfig.Filebeat.IdleTimeoutDuration)
+}
diff --git a/filebeat/tests/system/test_prospector.py b/filebeat/tests/system/test_prospector.py
index c15b9f985ed2..e9bec509eb0a 100644
--- a/filebeat/tests/system/test_prospector.py
+++ b/filebeat/tests/system/test_prospector.py
@@ -279,6 +279,7 @@ def test_no_paths_defined(self):
 
         filebeat.check_kill_and_wait(exit_code=1)
 
+
     def test_files_added_late(self):
         """
         Tests that prospectors stay running even though no harvesters are started yet
diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile
index f15b69409e4b..751c8b99fbe2 100755
--- a/libbeat/scripts/Makefile
+++ b/libbeat/scripts/Makefile
@@ -58,7 +58,11 @@ build: $(GOFILES)
 # Create test coverage binary
 .PHONY: buildbeat.test
 buildbeat.test: $(GOFILES)
+<<<<<<< HEAD
 	go test $(RACE) -c -coverpkg ${GOPACKAGES_COMMA_SEP}
+=======
+	go test -c -covermode=atomic -coverpkg ${GOPACKAGES_COMMA_SEP}
+>>>>>>> amqp protocol
 
 # Cross-compile beat for the OS'es specified in GOX_OS variable.
 # The binaries are placed in the build/bin directory.
@@ -71,7 +75,11 @@ crosscompile: $(GOFILES)
 # Checks project and source code if everything is according to standard
 .PHONY: check
 check:
+<<<<<<< HEAD
 	@gofmt -l ${GOFILES_NOVENDOR} | (! grep . -q) || (echo "Code differs from gofmt's style" && false)
+=======
+	@gofmt -l ${GOFILES_NOVENDOR} | read && echo "Code differs from gofmt's style" 1>&2 && exit 1 || true
+>>>>>>> amqp protocol
 	go vet ${GOPACKAGES}
 
 # Runs gofmt -w on the project's source code, modifying any files that do not
@@ -137,12 +145,18 @@ integration-tests-environment:
 
 # Runs the system tests
 .PHONY: system-tests
+<<<<<<< HEAD
 system-tests: buildbeat.test prepare-tests python-env
 	. ${PYTHON_ENV}/bin/activate; nosetests -w tests/system --process-timeout=$(TIMEOUT) --with-timer
+=======
+system-tests: buildbeat.test prepare-tests system-tests-setup
+	. build/system-tests/env/bin/activate; nosetests -w tests/system --process-timeout=$(TIMEOUT) --with-timer
+>>>>>>> amqp protocol
 	python ${ES_BEATS}/dev-tools/aggregate_coverage.py -o ${COVERAGE_DIR}/system.cov ./build/system-tests/run
 
 # Runs system tests without coverage reports and in parallel
 .PHONY: fast-system-tests
+<<<<<<< HEAD
 fast-system-tests: buildbeat.test python-env
 	. ${PYTHON_ENV}/bin/activate; nosetests -w tests/system --processes=$(PROCESSES) --process-timeout=$(TIMEOUT)
 
@@ -155,6 +169,17 @@ python-env: ${ES_BEATS}/libbeat/tests/system/requirements.txt
 	else \
 		. ${PYTHON_ENV}/bin/activate && pip install -Ur ${ES_BEATS}/libbeat/tests/system/requirements.txt ; \
 	fi
+=======
+fast-system-tests: buildbeat.test system-tests-setup
+	. build/system-tests/env/bin/activate; nosetests -w tests/system --processes=$(PROCESSES) --process-timeout=$(TIMEOUT)
+
+.PHONY: system-tests-setup
+system-tests-setup: tests/system/requirements.txt
+	test -d env || virtualenv build/system-tests/env > /dev/null
+	. build/system-tests/env/bin/activate && pip install -Ur tests/system/requirements.txt > /dev/null
+	touch build/system-tests/env/bin/activate
+
+>>>>>>> amqp protocol
 
 # Run benchmark tests
 .PHONY: benchmark-tests
diff --git a/packetbeat/beater/packetbeat.go b/packetbeat/beater/packetbeat.go
index 364019a2d109..d0166e059a0e 100644
--- a/packetbeat/beater/packetbeat.go
+++ b/packetbeat/beater/packetbeat.go
@@ -16,6 +16,7 @@ import (
 	"github.com/elastic/beats/packetbeat/config"
 	"github.com/elastic/beats/packetbeat/procs"
 	"github.com/elastic/beats/packetbeat/protos"
+	"github.com/elastic/beats/packetbeat/protos/amqp"
 	"github.com/elastic/beats/packetbeat/protos/dns"
 	"github.com/elastic/beats/packetbeat/protos/http"
 	"github.com/elastic/beats/packetbeat/protos/icmp"
@@ -33,6 +34,7 @@ import (
 
 var EnabledProtocolPlugins map[protos.Protocol]protos.ProtocolPlugin = map[protos.Protocol]protos.ProtocolPlugin{
 	protos.HttpProtocol:     new(http.HTTP),
+	protos.AmqpProtocol:     new(amqp.Amqp),
 	protos.MemcacheProtocol: new(memcache.Memcache),
 	protos.MysqlProtocol:    new(mysql.Mysql),
 	protos.PgsqlProtocol:    new(pgsql.Pgsql),
diff --git a/packetbeat/config/config.go b/packetbeat/config/config.go
index fb5928e4b6f0..f79908f2b831 100644
--- a/packetbeat/config/config.go
+++ b/packetbeat/config/config.go
@@ -35,6 +35,7 @@ type InterfacesConfig struct {
 
 type Protocols struct {
 	Icmp     Icmp
+	Amqp     Amqp
 	Dns      Dns
 	Http     Http
 	Memcache Memcache
@@ -59,6 +60,14 @@ type Icmp struct {
 	TransactionTimeout *int  `yaml:"transaction_timeout"`
 }
 
+type Amqp struct {
+	ProtocolCommon              `yaml:",inline"`
+	ParseHeaders               *bool `yaml:"parse_headers"`
+	ParseArguments             *bool `yaml:"parse_arguments"`
+	MaxBodyLength             *int `yaml:"max_body_length"`
+	HideConnectionInformation *bool `yaml:"hide_connection_information"`
+}
+
 type Dns struct {
 	ProtocolCommon      `yaml:",inline"`
 	Include_authorities *bool
diff --git a/packetbeat/etc/beat.yml b/packetbeat/etc/beat.yml
index 970f7a6836e6..aed0b2f63efb 100644
--- a/packetbeat/etc/beat.yml
+++ b/packetbeat/etc/beat.yml
@@ -21,6 +21,28 @@ protocols:
     # Enable ICMPv4 and ICMPv6 monitoring. Default: false
     enabled: true
 
+  amqp:
+    # Configure the ports where to listen for AMQP traffic. You can disable
+    # the AMQP protocol by commenting out the list of ports.
+    ports: [5672]
+    # Truncate messages that are published and avoid huge messages being
+    # indexed.
+    # Default: 1000
+    #max_body_length: 1000
+
+    # Hide the header fields in header frames.
+    # Default: false
+    #parse_headers: false
+
+    # Hide the additional arguments of method frames.
+    # Default: false
+    #parse_arguments: false
+
+    # Hide all methods relative to connection negociation between server and
+    # client.
+    # Default: true
+    #hide_connection_information: true
+
   dns:
     # Configure the ports where to listen for DNS traffic. You can disable
     # the DNS protocol by commenting out the list of ports.
@@ -140,4 +162,3 @@ protocols:
 #
 #    - process: app
 #      cmdline_grep: gunicorn
-
diff --git a/packetbeat/etc/fields.yml b/packetbeat/etc/fields.yml
index ec0628c66b1e..96ed253d5921 100644
--- a/packetbeat/etc/fields.yml
+++ b/packetbeat/etc/fields.yml
@@ -411,6 +411,209 @@ event:
             The data describing the resource. The meaning of this data depends
             on the type and class of the resource record.
 
+    - name: amqp
+      type: group
+      description: AMQP specific event fields.
+      fields:
+        - name: amqp.reply-code
+          type: int
+          description: >
+            AMQP reply code to an error, similar to http reply-code
+          example: 404
+
+        - name: amqp.reply-text
+          type: string
+          description: >
+            Text expliciting the error.
+
+        - name: amqp.class-id
+          type: int
+          description: >
+            Failing method class.
+
+        - name: amqp.method-id
+          type: int
+          description: >
+            Failing method ID.
+
+        - name: amqp.exchange
+          type: string
+          description: >
+            Name of the exchange.
+
+        - name: amqp.exchange-type
+          type: string
+          description: >
+            Exchange type.
+          example: fanout
+
+        - name: amqp.passive
+          type: bool
+          description: >
+            If set, do not create exchange/queue.
+
+        - name: amqp.durable
+          type: bool
+          description: >
+            If set, request a durable exchange/queue.
+
+        - name: amqp.exclusive
+          type: bool
+          description: >
+            If set, request an exclusive queue.
+
+        - name: amqp.auto-delete
+          type: bool
+          description: >
+            If set, auto-delete queue when unused.
+
+        - name: amqp.no-wait
+          type: bool
+          description: >
+            If set, the server will not respond to the method.
+
+        - name: amqp.consumer-tag
+          description: >
+            Identifier for the consumer, valid within the current channel.
+
+        - name: amqp.delivery-tag
+          type: int
+          description: >
+            The server-­assigned and channel-­specific delivery tag.
+
+        - name: amqp.message-count
+          type: int
+          description: >
+            The number of messages in the queue, which will be zero for
+            newly-­declared queues.
+
+        - name: amqp.consumer-count
+          type: int
+          description: >
+            The number of consumers of a queue.
+
+        - name: amqp.routing-key
+          type: int
+          description: >
+            Message routing key.
+
+        - name: amqp.no-ack
+          type: bool
+          description: >
+            If set, the server does not expect acknowledgements for messages.
+
+        - name: amqp.no-local
+          type: bool
+          description: >
+            If set,  the server will not send messages to the connection that
+            published them.
+
+        - name: amqp.if-unused
+          type: bool
+          description: >
+            Delete only if unused.
+
+        - name: amqp.if-empty
+          type: bool
+          description: >
+            Delete only if empty.
+
+        - name: amqp.queue
+          type: string
+          description: >
+            The queue name identifies the queue within the vhost.
+
+        - name: amqp.redelivered
+          type: bool
+          description: >
+            Indicates that the message has been previously delivered to this
+            or another client.
+
+        - name: amqp.multiple
+          type: bool
+          description: >
+            Acknowledge multiple messages.
+
+        - name: amqp.arguments.*
+          description: >
+            Optional additional arguments passed to some methods. Can be of
+            various types.
+
+        - name: amqp.mandatory
+          type: bool
+          description: >
+            Indicates mandatory routing.
+
+        - name: amqp.immediate
+          type: bool
+          description: >
+            Request immediate delivery.
+
+        - name: amqp.content-type
+          type: string
+          description: >
+            MIME content type.
+          example: text/plain
+
+        - name: amqp.content-encoding
+          type: string
+          description: >
+            MIME content encoding.
+
+        - name: amqp.headers.*
+          description: >
+            Message header field table.
+
+        - name: amqp.delivery-mode
+          type: int
+          description: >
+            Non-persistent (1) or persistent (2).
+
+        - name: amqp.priority
+          type: int
+          description: >
+            Message priority, 0 to 9.
+
+        - name: amqp.correlation-id
+          type: string
+          description: >
+            Application correlation identifier.
+
+        - name: amqp.reply-to
+          type: string
+          description: >
+            Address to reply to.
+
+        - name: amqp.expiration
+          type: string
+          description: >
+            Message expiration specification.
+
+        - name: amqp.message-id
+          type: string
+          description: >
+            Application message identifier.
+
+        - name: amqp.timestamp
+          type: string
+          description: >
+            Message timestamp.
+
+        - name: amqp.type
+          type: string
+          description: >
+            Message type name.
+
+        - name: amqp.user-id
+          type: string
+          description: >
+            Creating user id.
+
+        - name: amqp.app-id
+          type: string
+          description: >
+            Creating application id.
+
     - name: http
       type: group
       description: HTTP-specific event fields.
diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml
index 482e5c68b3a2..e7333b6a406f 100644
--- a/packetbeat/packetbeat.yml
+++ b/packetbeat/packetbeat.yml
@@ -44,6 +44,24 @@ protocols:
     # send_request:  true
     # send_response: true
 
+  amqp:
+    # Configure the ports where to listen for AMQP traffic. You can disable
+    # the AMQP protocol by commenting out the list of ports.
+    ports: [5672]
+    # Truncate messages that are published and avoid huge messages being
+    # indexed.
+    # Default: 1000
+    #max_body_length: 1000
+    # Hide the header fields in header frames.
+    # Default: false
+    #parse_headers: false
+    # Hide the additional arguments of method frames.
+    # Default: false
+    #parse_arguments: false
+    # See all methods relative to connection negociation between server and
+    # client.
+    #hide_connection_information: false
+
   http:
     # Configure the ports where to listen for HTTP traffic. You can disable
     # the HTTP protocol by commenting out the list of ports.
@@ -394,5 +412,3 @@ logging:
   # Sets log level. The default log level is error.
   # Available log levels are: critical, error, warning, info, debug
   #level: error
-
-
diff --git a/packetbeat/protos/amqp/amqp.go b/packetbeat/protos/amqp/amqp.go
new file mode 100644
index 000000000000..95101fdd9dd5
--- /dev/null
+++ b/packetbeat/protos/amqp/amqp.go
@@ -0,0 +1,570 @@
+package amqp
+
+import (
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/beats/packetbeat/config"
+	"github.com/elastic/beats/packetbeat/protos"
+	"github.com/elastic/beats/packetbeat/protos/tcp"
+	"github.com/elastic/beats/packetbeat/publish"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var (
+	debugf    = logp.MakeDebug("amqp")
+	detailedf = logp.MakeDebug("amqpdetailed")
+)
+
+type Amqp struct {
+	Ports                     []int
+	SendRequest               bool
+	SendResponse              bool
+	MaxBodyLength             int
+	ParseHeaders              bool
+	ParseArguments            bool
+	HideConnectionInformation bool
+	transactions              *common.Cache
+	transactionTimeout        time.Duration
+	results                   publish.Transactions
+
+	//map containing functions associated with different method numbers
+	MethodMap map[codeClass]map[codeMethod]AmqpMethod
+}
+
+func (amqp *Amqp) GetPorts() []int {
+	return amqp.Ports
+}
+
+func (amqp *Amqp) setFromConfig(config config.Amqp) error {
+	amqp.Ports = config.Ports
+	if config.SendRequest != nil {
+		amqp.SendRequest = *config.SendRequest
+	}
+	if config.SendResponse != nil {
+		amqp.SendResponse = *config.SendResponse
+	}
+	if config.MaxBodyLength != nil {
+		amqp.MaxBodyLength = *config.MaxBodyLength
+	}
+	if config.ParseHeaders != nil {
+		amqp.ParseHeaders = *config.ParseHeaders
+	}
+	if config.ParseArguments != nil {
+		amqp.ParseArguments = *config.ParseArguments
+	}
+	if config.HideConnectionInformation != nil {
+		amqp.HideConnectionInformation = *config.HideConnectionInformation
+	}
+	if config.TransactionTimeout != nil && *config.TransactionTimeout > 0 {
+		amqp.transactionTimeout = time.Duration(*config.TransactionTimeout) * time.Second
+	}
+	return nil
+}
+
+func (amqp *Amqp) InitDefaults() {
+	amqp.SendRequest = false
+	amqp.SendResponse = false
+	amqp.MaxBodyLength = 1000
+	amqp.ParseHeaders = true
+	amqp.ParseArguments = true
+	amqp.HideConnectionInformation = true
+	amqp.transactionTimeout = protos.DefaultTransactionExpiration
+	amqp.MethodMap = map[codeClass]map[codeMethod]AmqpMethod{
+		connectionCode: map[codeMethod]AmqpMethod{
+			connectionClose:   connectionCloseMethod,
+			connectionCloseOk: okMethod,
+		},
+		channelCode: map[codeMethod]AmqpMethod{
+			channelClose:   channelCloseMethod,
+			channelCloseOk: okMethod,
+		},
+		exchangeCode: map[codeMethod]AmqpMethod{
+			exchangeDeclare:   exchangeDeclareMethod,
+			exchangeDeclareOk: okMethod,
+			exchangeDelete:    exchangeDeleteMethod,
+			exchangeDeleteOk:  okMethod,
+			exchangeBind:      exchangeBindMethod,
+			exchangeBindOk:    okMethod,
+			exchangeUnbind:    exchangeUnbindMethod,
+			exchangeUnbindOk:  okMethod,
+		},
+		queueCode: map[codeMethod]AmqpMethod{
+			queueDeclare:   queueDeclareMethod,
+			queueDeclareOk: queueDeclareOkMethod,
+			queueBind:      queueBindMethod,
+			queueBindOk:    okMethod,
+			queueUnbind:    queueUnbindMethod,
+			queueUnbindOk:  okMethod,
+			queuePurge:     queuePurgeMethod,
+			queuePurgeOk:   queuePurgeOkMethod,
+			queueDelete:    queueDeleteMethod,
+			queueDeleteOk:  queueDeleteOkMethod,
+		},
+		basicCode: map[codeMethod]AmqpMethod{
+			basicConsume:   basicConsumeMethod,
+			basicConsumeOk: basicConsumeOkMethod,
+			basicCancel:    basicCancelMethod,
+			basicCancelOk:  basicCancelOkMethod,
+			basicPublish:   basicPublishMethod,
+			basicReturn:    basicReturnMethod,
+			basicDeliver:   basicDeliverMethod,
+			basicGet:       basicGetMethod,
+			basicGetOk:     basicGetOkMethod,
+			basicGetEmpty:  basicGetEmptyMethod,
+			basicAck:       basicAckMethod,
+			basicReject:    basicRejectMethod,
+			basicRecover:   basicRecoverMethod,
+			basicRecoverOk: okMethod,
+			basicNack:      basicNackMethod,
+		},
+		txCode: map[codeMethod]AmqpMethod{
+			txSelect:     txSelectMethod,
+			txSelectOk:   okMethod,
+			txCommit:     txCommitMethod,
+			txCommitOk:   okMethod,
+			txRollback:   txRollbackMethod,
+			txRollbackOk: okMethod,
+		},
+	}
+}
+
+func (amqp *Amqp) Init(test_mode bool, results publish.Transactions) error {
+	amqp.InitDefaults()
+	if !test_mode {
+		err := amqp.setFromConfig(config.ConfigSingleton.Protocols.Amqp)
+		if err != nil {
+			return err
+		}
+	}
+	if amqp.HideConnectionInformation == false {
+		amqp.addConnectionMethods()
+	}
+	amqp.transactions = common.NewCache(
+		amqp.transactionTimeout,
+		protos.DefaultTransactionHashSize)
+	amqp.transactions.StartJanitor(amqp.transactionTimeout)
+	amqp.results = results
+	return nil
+}
+
+func (amqp *Amqp) addConnectionMethods() {
+	amqp.MethodMap[connectionCode][connectionStart] = connectionStartMethod
+	amqp.MethodMap[connectionCode][connectionStartOk] = connectionStartOkMethod
+	amqp.MethodMap[connectionCode][connectionTune] = connectionTuneMethod
+	amqp.MethodMap[connectionCode][connectionTuneOk] = connectionTuneOkMethod
+	amqp.MethodMap[connectionCode][connectionOpen] = connectionOpenMethod
+	amqp.MethodMap[connectionCode][connectionOpenOk] = okMethod
+	amqp.MethodMap[channelCode][channelOpen] = channelOpenMethod
+	amqp.MethodMap[channelCode][channelOpenOk] = okMethod
+	amqp.MethodMap[channelCode][channelFlow] = channelFlowMethod
+	amqp.MethodMap[channelCode][channelFlowOk] = channelFlowOkMethod
+	amqp.MethodMap[basicCode][basicQos] = basicQosMethod
+	amqp.MethodMap[basicCode][basicQosOk] = okMethod
+}
+
+func (amqp *Amqp) ConnectionTimeout() time.Duration {
+	return amqp.transactionTimeout
+}
+
+func (amqp *Amqp) Parse(pkt *protos.Packet, tcptuple *common.TcpTuple,
+	dir uint8, private protos.ProtocolData) protos.ProtocolData {
+
+	defer logp.Recover("ParseAmqp exception")
+	detailedf("Parse method triggered")
+
+	priv := amqpPrivateData{}
+	if private != nil {
+		var ok bool
+		priv, ok = private.(amqpPrivateData)
+		if !ok {
+			priv = amqpPrivateData{}
+		}
+	}
+
+	if priv.Data[dir] == nil {
+		priv.Data[dir] = &AmqpStream{
+			tcptuple: tcptuple,
+			data:     pkt.Payload,
+			message:  &AmqpMessage{Ts: pkt.Ts},
+		}
+	} else {
+		// concatenate databytes
+		priv.Data[dir].data = append(priv.Data[dir].data, pkt.Payload...)
+		if len(priv.Data[dir].data) > tcp.TCP_MAX_DATA_IN_STREAM {
+			debugf("Stream data too large, dropping TCP stream")
+			priv.Data[dir] = nil
+			return priv
+		}
+	}
+
+	stream := priv.Data[dir]
+
+	for len(stream.data) > 0 {
+		if stream.message == nil {
+			stream.message = &AmqpMessage{Ts: pkt.Ts}
+		}
+
+		ok, complete := amqp.amqpMessageParser(stream)
+		if !ok {
+			// drop this tcp stream. Will retry parsing with the next
+			// segment in it
+			priv.Data[dir] = nil
+			return priv
+		}
+		if !complete {
+			break
+		}
+		amqp.handleAmqp(stream.message, tcptuple, dir)
+	}
+	return priv
+}
+
+func (amqp *Amqp) GapInStream(tcptuple *common.TcpTuple, dir uint8,
+	nbytes int, private protos.ProtocolData) (priv protos.ProtocolData, drop bool) {
+	detailedf("GapInStream called")
+	return private, true
+}
+
+func (amqp *Amqp) ReceivedFin(tcptuple *common.TcpTuple, dir uint8,
+	private protos.ProtocolData) protos.ProtocolData {
+	//TODO
+	return private
+}
+
+func (amqp *Amqp) handleAmqpRequest(msg *AmqpMessage) {
+	// Add it to the HT
+	tuple := msg.TcpTuple
+
+	trans := amqp.getTransaction(tuple.Hashable())
+	if trans != nil {
+		if trans.Amqp != nil {
+			debugf("Two requests without a Response. Dropping old request: %s", trans.Amqp)
+		}
+	} else {
+		trans = &AmqpTransaction{Type: "amqp", tuple: tuple}
+		amqp.transactions.Put(tuple.Hashable(), trans)
+	}
+
+	trans.ts = msg.Ts
+	trans.Ts = int64(trans.ts.UnixNano() / 1000)
+	trans.JsTs = msg.Ts
+	trans.Src = common.Endpoint{
+		Ip:   msg.TcpTuple.Src_ip.String(),
+		Port: msg.TcpTuple.Src_port,
+		Proc: string(msg.CmdlineTuple.Src),
+	}
+	trans.Dst = common.Endpoint{
+		Ip:   msg.TcpTuple.Dst_ip.String(),
+		Port: msg.TcpTuple.Dst_port,
+		Proc: string(msg.CmdlineTuple.Dst),
+	}
+	if msg.Direction == tcp.TcpDirectionReverse {
+		trans.Src, trans.Dst = trans.Dst, trans.Src
+	}
+
+	trans.Method = msg.Method
+	// get the righ request
+	if len(msg.Request) > 0 {
+		trans.Request = strings.Join([]string{msg.Method, msg.Request}, " ")
+	} else {
+		trans.Request = msg.Method
+	}
+	//length = message + 4 bytes header + frame end octet
+	trans.BytesIn = msg.Body_size + 12
+	if msg.Fields != nil {
+		trans.Amqp = msg.Fields
+	} else {
+		trans.Amqp = common.MapStr{}
+	}
+
+	//if error or exception, publish it now. sometimes client or server never send
+	//an ack message and the error is lost. Also, if nowait flag set, don't expect
+	//any response and publish
+	if isAsynchronous(trans) {
+		amqp.publishTransaction(trans)
+		debugf("Amqp transaction completed")
+		amqp.transactions.Delete(trans.tuple.Hashable())
+		return
+	}
+
+	if trans.timer != nil {
+		trans.timer.Stop()
+	}
+	trans.timer = time.AfterFunc(TransactionTimeout, func() { amqp.expireTransaction(trans) })
+}
+
+func (amqp *Amqp) handleAmqpResponse(msg *AmqpMessage) {
+	tuple := msg.TcpTuple
+	trans := amqp.getTransaction(tuple.Hashable())
+	if trans == nil || trans.Amqp == nil {
+		logp.Warn("Response from unknown transaction. Ignoring.")
+		return
+	}
+
+	//length = message + 4 bytes class/method + frame end octet + header
+	trans.BytesOut = msg.Body_size + 12
+	//merge the both fields from request and response
+	trans.Amqp.Update(msg.Fields)
+	trans.Response = common.OK_STATUS
+
+	if msg.Method == "basic.get-empty" {
+		trans.Method = "basic.get-empty"
+	}
+
+	trans.ResponseTime = int32(msg.Ts.Sub(trans.ts).Nanoseconds() / 1e6)
+	trans.Notes = msg.Notes
+
+	amqp.publishTransaction(trans)
+
+	debugf("Amqp transaction completed")
+
+	// remove from map
+	amqp.transactions.Delete(trans.tuple.Hashable())
+	if trans.timer != nil {
+		trans.timer.Stop()
+	}
+}
+
+func (amqp *Amqp) expireTransaction(trans *AmqpTransaction) {
+	debugf("Transaction expired")
+
+	//possibility of a connection.close or channel.close method that didn't get an
+	//ok answer. Let's publish it.
+	if isCloseError(trans) {
+		trans.Notes = append(trans.Notes, "Close-ok method not received by sender")
+		amqp.publishTransaction(trans)
+	}
+	// remove from map
+	amqp.transactions.Delete(trans.tuple.Hashable())
+}
+
+//This method handles published messages from clients. Being an async
+//process, the method, header and body frames are regrouped in one transaction
+func (amqp *Amqp) handlePublishing(client *AmqpMessage) {
+
+	tuple := client.TcpTuple
+	trans := amqp.getTransaction(tuple.Hashable())
+
+	if trans == nil {
+		trans = &AmqpTransaction{Type: "amqp", tuple: tuple}
+		amqp.transactions.Put(client.TcpTuple.Hashable(), trans)
+	}
+
+	trans.ts = client.Ts
+	trans.Ts = int64(client.Ts.UnixNano() / 1000)
+	trans.JsTs = client.Ts
+	trans.Src = common.Endpoint{
+		Ip:   client.TcpTuple.Src_ip.String(),
+		Port: client.TcpTuple.Src_port,
+		Proc: string(client.CmdlineTuple.Src),
+	}
+	trans.Dst = common.Endpoint{
+		Ip:   client.TcpTuple.Dst_ip.String(),
+		Port: client.TcpTuple.Dst_port,
+		Proc: string(client.CmdlineTuple.Dst),
+	}
+
+	trans.Method = client.Method
+	//for publishing and delivering, bytes in and out represent the length of the
+	//message itself
+	trans.BytesIn = client.Body_size
+
+	if client.Body_size > uint64(amqp.MaxBodyLength) {
+		trans.Body = client.Body[:amqp.MaxBodyLength]
+	} else {
+		trans.Body = client.Body
+	}
+
+	trans.ToString = isStringable(client)
+
+	trans.Amqp = client.Fields
+	amqp.publishTransaction(trans)
+	debugf("Amqp transaction completed")
+	//delete trans from map
+	amqp.transactions.Delete(trans.tuple.Hashable())
+}
+
+//This method handles delivered messages via basic.deliver and basic.get-ok AND
+//returned messages to clients. Being an async process, the method, header and
+//body frames are regrouped in one transaction
+func (amqp *Amqp) handleDelivering(server *AmqpMessage) {
+
+	tuple := server.TcpTuple
+	trans := amqp.getTransaction(tuple.Hashable())
+
+	if trans == nil {
+		trans = &AmqpTransaction{Type: "amqp", tuple: tuple}
+		amqp.transactions.Put(server.TcpTuple.Hashable(), trans)
+	}
+
+	trans.ts = server.Ts
+	trans.Ts = int64(server.Ts.UnixNano() / 1000)
+	trans.JsTs = server.Ts
+	trans.Src = common.Endpoint{
+		Ip:   server.TcpTuple.Src_ip.String(),
+		Port: server.TcpTuple.Src_port,
+		Proc: string(server.CmdlineTuple.Src),
+	}
+	trans.Dst = common.Endpoint{
+		Ip:   server.TcpTuple.Dst_ip.String(),
+		Port: server.TcpTuple.Dst_port,
+		Proc: string(server.CmdlineTuple.Dst),
+	}
+
+	//for publishing and delivering, bytes in and out represent the length of the
+	//message itself
+	trans.BytesOut = server.Body_size
+
+	if server.Body_size > uint64(amqp.MaxBodyLength) {
+		trans.Body = server.Body[:amqp.MaxBodyLength]
+	} else {
+		trans.Body = server.Body
+	}
+	trans.ToString = isStringable(server)
+	if server.Method == "basic.get-ok" {
+		trans.Method = "basic.get"
+	} else {
+		trans.Method = server.Method
+	}
+	trans.Amqp = server.Fields
+
+	amqp.publishTransaction(trans)
+	debugf("Amqp transaction completed")
+	//delete trans from map
+	amqp.transactions.Delete(trans.tuple.Hashable())
+}
+
+func (amqp *Amqp) publishTransaction(t *AmqpTransaction) {
+
+	if amqp.results == nil {
+		return
+	}
+
+	event := common.MapStr{}
+	event["type"] = "amqp"
+
+	event["method"] = t.Method
+	if isError(t) {
+		event["status"] = common.ERROR_STATUS
+	} else {
+		event["status"] = common.OK_STATUS
+	}
+	event["responsetime"] = t.ResponseTime
+	event["amqp"] = t.Amqp
+	event["bytes_out"] = t.BytesOut
+	event["bytes_in"] = t.BytesIn
+	event["@timestamp"] = common.Time(t.ts)
+	event["src"] = &t.Src
+	event["dst"] = &t.Dst
+
+	//let's try to convert request/response to a readable format
+	if amqp.SendRequest {
+		if t.Method == "basic.publish" {
+			if t.ToString {
+				if uint64(len(t.Body)) < t.BytesIn {
+					event["request"] = string(t.Body) + " [...]"
+				} else {
+					event["request"] = string(t.Body)
+				}
+			} else {
+				if uint64(len(t.Body)) < t.BytesIn {
+					event["request"] = bodyToString(t.Body) + " [...]"
+				} else {
+					event["request"] = bodyToString(t.Body)
+				}
+			}
+		} else {
+			event["request"] = t.Request
+		}
+	}
+	if amqp.SendResponse {
+		if t.Method == "basic.deliver" || t.Method == "basic.return" ||
+			t.Method == "basic.get" {
+			if t.ToString {
+				if uint64(len(t.Body)) < t.BytesOut {
+					event["response"] = string(t.Body) + " [...]"
+				} else {
+					event["response"] = string(t.Body)
+				}
+			} else {
+				if uint64(len(t.Body)) < t.BytesOut {
+					event["response"] = bodyToString(t.Body) + " [...]"
+				} else {
+					event["response"] = bodyToString(t.Body)
+				}
+			}
+		} else {
+			event["response"] = t.Response
+		}
+	}
+	if len(t.Notes) > 0 {
+		event["notes"] = t.Notes
+	}
+
+	amqp.results.PublishTransaction(event)
+}
+
+//function to check if method is async or not
+func isAsynchronous(trans *AmqpTransaction) bool {
+	if val, ok := trans.Amqp["no-wait"]; ok && val == true {
+		return true
+	} else {
+		return trans.Method == "basic.reject" ||
+			trans.Method == "basic.ack" ||
+			trans.Method == "basic.nack"
+	}
+}
+
+//function to convert a body slice into a readable format
+func bodyToString(data []byte) string {
+	var ret []string = make([]string, len(data))
+
+	for i, c := range data {
+		ret[i] = strconv.Itoa(int(c))
+	}
+	return strings.Join(ret, " ")
+}
+
+//function used to check if a body message can be converted to readable string
+func isStringable(m *AmqpMessage) bool {
+	stringable := false
+
+	if contentEncoding, ok := m.Fields["content-encoding"].(string); ok &&
+		contentEncoding != "" {
+		return false
+	}
+	if contentType, ok := m.Fields["content-type"].(string); ok {
+		stringable = strings.Contains(contentType, "text") ||
+			strings.Contains(contentType, "json")
+	}
+	return stringable
+}
+
+func (amqp *Amqp) getTransaction(k common.HashableTcpTuple) *AmqpTransaction {
+	v := amqp.transactions.Get(k)
+	if v != nil {
+		return v.(*AmqpTransaction)
+	}
+	return nil
+}
+
+func isError(t *AmqpTransaction) bool {
+	return t.Method == "basic.return" || t.Method == "basic.reject" ||
+		isCloseError(t)
+}
+
+func isCloseError(t *AmqpTransaction) bool {
+	return (t.Method == "connection.close" || t.Method == "channel.close") &&
+		getReplyCode(t.Amqp) >= 300
+}
+
+func getReplyCode(m common.MapStr) uint16 {
+	code, ok := m["reply-code"].(uint16)
+	if !ok {
+		return 0
+	} else {
+		return code
+	}
+}
diff --git a/packetbeat/protos/amqp/amqp_fields.go b/packetbeat/protos/amqp/amqp_fields.go
new file mode 100644
index 000000000000..ee5cbd820a47
--- /dev/null
+++ b/packetbeat/protos/amqp/amqp_fields.go
@@ -0,0 +1,199 @@
+package amqp
+
+import (
+	"encoding/binary"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/logp"
+	"math"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func getTable(fields common.MapStr, data []byte, offset uint32) (next uint32, err bool, exists bool) {
+	ret := common.MapStr{}
+
+	length := binary.BigEndian.Uint32(data[offset : offset+4])
+
+	// size declared too big
+	if length > uint32(len(data[offset+4:])) {
+		return 0, true, false
+	}
+	if length > 0 {
+		exists = true
+		err := fieldUnmarshal(ret, data[offset+4:offset+4+length], 0, length, -1)
+		if err {
+			logp.Warn("Error while parsing a field table")
+			return 0, true, false
+		}
+		if fields == nil {
+			fields = ret
+		} else {
+			fields.Update(ret)
+		}
+	}
+	return length + 4 + offset, false, exists
+}
+
+func getArray(fields common.MapStr, data []byte, offset uint32) (next uint32, err bool, exists bool) {
+	ret := common.MapStr{}
+
+	length := binary.BigEndian.Uint32(data[offset : offset+4])
+
+	// size declared too big
+	if length > uint32(len(data[offset+4:])) {
+		return 0, true, false
+	}
+	if length > 0 {
+		exists = true
+		err := fieldUnmarshal(ret, data[offset+4:offset+4+length], 0, length, 0)
+		if err {
+			logp.Warn("Error while parsing a field array")
+			return 0, true, false
+		}
+		if fields == nil {
+			fields = ret
+		} else {
+			fields.Update(ret)
+		}
+	}
+	return length + 4 + offset, false, exists
+}
+
+//The index parameter, when set at -1, indicates that the entry is a field table.
+//If it's set at 0, it is an array.
+func fieldUnmarshal(table common.MapStr, data []byte, offset uint32, length uint32, index int) (err bool) {
+	var name string
+
+	if offset >= length {
+		return false
+	}
+	//get name of the field. If it's an array, it will be the index parameter as a
+	//string. If it's a table, it will be the name of the field.
+	if index < 0 {
+		field_name, offset_temp, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get short string in table")
+			return true
+		}
+		name = field_name
+		offset = offset_temp
+	} else {
+		name = strconv.Itoa(index)
+		index += 1
+	}
+
+	switch data[offset] {
+	case boolean:
+		if data[offset+1] == 1 {
+			table[name] = true
+		} else {
+			table[name] = false
+		}
+		offset += 2
+	case shortShortInt:
+		table[name] = int8(data[offset+1])
+		offset += 2
+	case shortShortUint:
+		table[name] = uint8(data[offset+1])
+		offset += 2
+	case shortInt:
+		table[name] = int16(binary.BigEndian.Uint16(data[offset+1 : offset+3]))
+		offset += 3
+	case shortUint:
+		table[name] = binary.BigEndian.Uint16(data[offset+1 : offset+3])
+		offset += 3
+	case longInt:
+		table[name] = int(binary.BigEndian.Uint32(data[offset+1 : offset+5]))
+		offset += 5
+	case longUint:
+		table[name] = binary.BigEndian.Uint32(data[offset+1 : offset+5])
+		offset += 5
+	case longLongInt:
+		table[name] = int64(binary.BigEndian.Uint64(data[offset+1 : offset+9]))
+		offset += 9
+	case longLongUint:
+		table[name] = binary.BigEndian.Uint64(data[offset+1 : offset+9])
+		offset += 9
+	case float:
+		bits := binary.BigEndian.Uint32(data[offset+1 : offset+5])
+		table[name] = math.Float32frombits(bits)
+		offset += 5
+	case double:
+		bits := binary.BigEndian.Uint64(data[offset+1 : offset+9])
+		table[name] = math.Float64frombits(bits)
+		offset += 9
+	case decimal:
+		scale := data[offset+1]
+		val := strings.Split(strconv.Itoa(int(binary.BigEndian.Uint32(data[offset+2:offset+6]))), "")
+		ret := make([]string, len(val)+1)
+		for i, j := 0, 0; i < len(val); i++ {
+			if i == len(val)-int(scale) {
+				ret[j] = "."
+				j++
+			}
+			ret[j] = val[i]
+			j++
+		}
+		table[name] = strings.Join(ret, "")
+		offset += 6
+	case shortString:
+		s, next, err := getShortString(data, offset+2, uint32(data[offset+1]))
+		if err {
+			logp.Warn("Failed to get short string in table")
+			return true
+		}
+		table[name] = s
+		offset = next
+	case longString:
+		s, next, err := getShortString(data, offset+5, binary.BigEndian.Uint32(data[offset+1:offset+5]))
+		if err {
+			logp.Warn("Failed to get long string in table")
+			return true
+		}
+		table[name] = s
+		offset = next
+	case fieldArray:
+		newMap := common.MapStr{}
+		next, err, _ := getArray(newMap, data, offset+1)
+		if err {
+			return true
+		}
+		table[name] = newMap
+		offset = next
+	case timestamp:
+		t := time.Unix(int64(binary.BigEndian.Uint64(data[offset+1:offset+9])), 0)
+		table[name] = t.Format(AMQPTIMELAYOUT)
+		offset += 9
+	case fieldTable:
+		newMap := common.MapStr{}
+		next, err, _ := getTable(newMap, data, offset+1)
+		if err {
+			return true
+		}
+		table[name] = newMap
+		offset = next
+	case noField:
+		table[name] = nil
+		offset += 1
+	case byteArray:
+		size := binary.BigEndian.Uint32(data[offset+1 : offset+5])
+		table[name] = bodyToByteArray(data[offset+1+size : offset+5+size])
+		offset += 5 + size
+	default:
+		//unkown field
+		return true
+	}
+	//advance to next field recursively
+	return fieldUnmarshal(table, data, offset, length, index)
+}
+
+// function to convert a body slice into a byte array
+func bodyToByteArray(data []byte) string {
+	var ret []string = make([]string, len(data))
+
+	for i, c := range data {
+		ret[i] = strconv.Itoa(int(c))
+	}
+	return "[" + strings.Join(ret, ", ") + "]"
+}
diff --git a/packetbeat/protos/amqp/amqp_methods.go b/packetbeat/protos/amqp/amqp_methods.go
new file mode 100644
index 000000000000..1cb19c0b1d5b
--- /dev/null
+++ b/packetbeat/protos/amqp/amqp_methods.go
@@ -0,0 +1,782 @@
+package amqp
+
+import (
+	"encoding/binary"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/logp"
+	"strconv"
+	"strings"
+)
+
+func connectionStartMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	major := args[0]
+	minor := args[1]
+	properties := make(common.MapStr)
+	next, err, exists := getTable(properties, args, 2)
+	if err {
+		//failed to get de peer-properties, size may be wrong, let's quit
+		logp.Warn("Failed to parse server properties in connection.start method")
+		return false, false
+	}
+	mechanisms, next, err := getShortString(args, next+4, binary.BigEndian.Uint32(args[next:next+4]))
+	if err {
+		logp.Warn("Failed to get connection mechanisms")
+		return false, false
+	}
+	locales, _, err := getShortString(args, next+4, binary.BigEndian.Uint32(args[next:next+4]))
+	if err {
+		logp.Warn("Failed to get connection locales")
+		return false, false
+	}
+	m.Method = "connection.start"
+	m.IsRequest = true
+	m.Fields = common.MapStr{
+		"version-major": major,
+		"version-minor": minor,
+		"mechanisms":    mechanisms,
+		"locales":       locales,
+	}
+	//if there is a server properties table, add it
+	if exists {
+		m.Fields["server-properties"] = properties
+	}
+	return true, true
+}
+
+func connectionStartOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	properties := make(common.MapStr)
+	next, err, exists := getTable(properties, args, 0)
+	if err {
+		//failed to get de peer-properties, size may be wrong, let's quit
+		logp.Warn("Failed to parse server properties in connection.start method")
+		return false, false
+	}
+	mechanism, next, err := getShortString(args, next+1, uint32(args[next]))
+	if err {
+		logp.Warn("Failed to get connection mechanism from client")
+		return false, false
+	}
+	_, next, err = getShortString(args, next+4, binary.BigEndian.Uint32(args[next:next+4]))
+	if err {
+		logp.Warn("Failed to get connection response from client")
+		return false, false
+	}
+	locale, _, err := getShortString(args, next+1, uint32(args[next]))
+	if err {
+		logp.Warn("Failed to get connection locale from client")
+		return false, false
+	}
+	m.IsRequest = false
+	m.Fields = common.MapStr{
+		"mechanism": mechanism,
+		"locale":    locale,
+	}
+	//if there is a client properties table, add it
+	if exists {
+		m.Fields["client-properties"] = properties
+	}
+	return true, true
+}
+
+func connectionTuneMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.IsRequest = true
+	m.Method = "connection.tune"
+	//parameters are not parsed here, they are further negociated by the server
+	//in the connection.tune-ok method
+	return true, true
+}
+
+func connectionTuneOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Fields = common.MapStr{
+		"channel-max": binary.BigEndian.Uint16(args[0:2]),
+		"frame-max":   binary.BigEndian.Uint32(args[2:6]),
+		"heartbeat":   binary.BigEndian.Uint16(args[6:8]),
+	}
+	return true, true
+}
+
+func connectionOpenMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.IsRequest = true
+	m.Method = "connection.open"
+	host, _, err := getShortString(args, 1, uint32(args[0]))
+	if err {
+		logp.Warn("Failed to get virtual host from client")
+		return false, false
+	}
+	m.Fields = common.MapStr{"virtual-host": host}
+	return true, true
+}
+
+func connectionCloseMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	err := getCloseInfo(args, m)
+	if err {
+		return false, false
+	}
+	m.Method = "connection.close"
+	m.IsRequest = true
+	return true, true
+}
+
+func channelOpenMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "channel.open"
+	m.IsRequest = true
+	return true, true
+}
+
+func channelFlowMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "channel.flow"
+	m.IsRequest = true
+	return true, true
+}
+
+func channelFlowOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	params := getBitParams(args[0])
+	m.Fields = common.MapStr{"active": params[0]}
+	return true, true
+}
+
+func channelCloseMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "channel.close"
+	m.IsRequest = true
+	err := getCloseInfo(args, m)
+	if err {
+		return false, false
+	}
+	return true, true
+}
+
+//function to fetch fields from channel close and connection close
+func getCloseInfo(args []byte, m *AmqpMessage) bool {
+	code := binary.BigEndian.Uint16(args[0:2])
+	m.IsRequest = true
+	replyText, nextOffset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Failed to get error reply text")
+		return true
+	}
+	m.Fields = common.MapStr{
+		"reply-code": code,
+		"reply-text": replyText,
+		"class-id":   binary.BigEndian.Uint16(args[nextOffset : nextOffset+2]),
+		"method-id":  binary.BigEndian.Uint16(args[nextOffset+2 : nextOffset+4]),
+	}
+	return false
+}
+
+func queueDeclareMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	name, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of queue in queue declaration")
+		return false, false
+	}
+	m.IsRequest = true
+	m.Method = "queue.declare"
+	params := getBitParams(args[offset])
+	m.Request = name
+	m.Fields = common.MapStr{
+		"queue":       name,
+		"passive":     params[0],
+		"durable":     params[1],
+		"exclusive":   params[2],
+		"auto-delete": params[3],
+		"no-wait":     params[4],
+	}
+	if args[offset+1] != FRAME_END_OCTET && m.ParseArguments {
+		arguments := make(common.MapStr)
+		_, err, exists := getTable(arguments, args, offset+1)
+		if !err && exists {
+			m.Fields["arguments"] = arguments
+		} else if err {
+			m.Notes = append(m.Notes, "Failed to parse additional arguments")
+		}
+	}
+	return true, true
+}
+
+func queueDeclareOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	name, nextOffset, err := getShortString(args, 1, uint32(args[0]))
+	if err {
+		logp.Warn("Error getting name of queue in queue confirmation")
+		return false, false
+	}
+	m.Method = "queue.declare-ok"
+	m.Fields = common.MapStr{
+		"queue":          name,
+		"consumer-count": binary.BigEndian.Uint32(args[nextOffset+4:]),
+		"message-count":  binary.BigEndian.Uint32(args[nextOffset : nextOffset+4]),
+	}
+	return true, true
+}
+
+func queueBindMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	queue, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of queue in queue bind")
+		return false, false
+	}
+	m.IsRequest = true
+	exchange, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of queue in queue bind")
+		return false, false
+	}
+	routingKey, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of queue in queue bind")
+		return false, false
+	}
+	params := getBitParams(args[offset])
+	m.Method = "queue.bind"
+	m.Request = strings.Join([]string{queue, exchange}, " ")
+	m.Fields = common.MapStr{
+		"queue":       queue,
+		"routing-key": routingKey,
+		"no-wait":     params[0],
+	}
+	if len(exchange) > 0 {
+		m.Fields["exchange"] = exchange
+	}
+	if args[offset+1] != FRAME_END_OCTET && m.ParseArguments {
+		arguments := make(common.MapStr)
+		_, err, exists := getTable(arguments, args, offset+1)
+		if !err && exists {
+			m.Fields["arguments"] = arguments
+		} else if err {
+			m.Notes = append(m.Notes, "Failed to parse additional arguments")
+		}
+	}
+	return true, true
+}
+
+func queueUnbindMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	queue, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of queue in queue unbind")
+		return false, false
+	}
+	exchange, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of queue in queue unbind")
+		return false, false
+	}
+	routingKey, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of queue in queue unbind")
+		return false, false
+	}
+	m.IsRequest = true
+	m.Method = "queue.unbind"
+	m.Request = strings.Join([]string{queue, exchange}, " ")
+	m.Fields = common.MapStr{
+		"queue":       queue,
+		"routing-key": routingKey,
+	}
+	if len(exchange) > 0 {
+		m.Fields["exchange"] = exchange
+	}
+	if args[offset+1] != FRAME_END_OCTET && m.ParseArguments {
+		arguments := make(common.MapStr)
+		_, err, exists := getTable(arguments, args, offset+1)
+		if !err && exists {
+			m.Fields["arguments"] = arguments
+		} else if err {
+			m.Notes = append(m.Notes, "Failed to parse additional arguments")
+		}
+	}
+	return true, true
+}
+
+func queuePurgeMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	queue, nextOffset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of queue in queue purge")
+		return false, false
+	}
+	m.IsRequest = true
+	params := getBitParams(args[nextOffset])
+	m.Method = "queue.purge"
+	m.Request = queue
+	m.Fields = common.MapStr{
+		"queue":   queue,
+		"no-wait": params[0],
+	}
+	return true, true
+}
+
+func queuePurgeOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "queue.purge-ok"
+	m.Fields = common.MapStr{
+		"message-count": binary.BigEndian.Uint32(args[0:4]),
+	}
+	return true, true
+}
+
+func queueDeleteMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	queue, nextOffset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of queue in queue delete")
+		return false, false
+	}
+	m.IsRequest = true
+	params := getBitParams(args[nextOffset])
+	m.Method = "queue.delete"
+	m.Request = queue
+	m.Fields = common.MapStr{
+		"queue":     queue,
+		"if-unused": params[0],
+		"if-empty":  params[1],
+		"no-wait":   params[2],
+	}
+	return true, true
+}
+
+func queueDeleteOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "queue.delete-ok"
+	m.Fields = common.MapStr{
+		"message-count": binary.BigEndian.Uint32(args[0:4]),
+	}
+	return true, true
+}
+
+func exchangeDeclareMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	exchange, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of exchange in exchange declare")
+		return false, false
+	}
+	exchangeType, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of routing key in exchange declare")
+		return false, false
+	}
+	params := getBitParams(args[offset])
+	m.Method = "exchange.declare"
+	m.IsRequest = true
+	m.Request = exchange
+	if exchangeType == "" {
+		exchangeType = "direct"
+	}
+	m.Fields = common.MapStr{
+		"exchange":      exchange,
+		"exchange-type": exchangeType,
+		"passive":       params[0],
+		"durable":       params[1],
+		"no-wait":       params[4],
+	}
+	if args[offset+1] != FRAME_END_OCTET && m.ParseArguments {
+		arguments := make(common.MapStr)
+		_, err, exists := getTable(arguments, args, offset+1)
+		if !err && exists {
+			m.Fields["arguments"] = arguments
+		} else if err {
+			m.Notes = append(m.Notes, "Failed to parse additional arguments")
+		}
+	}
+	return true, true
+}
+
+func exchangeDeleteMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	exchange, nextOffset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of exchange in exchange delete")
+		return false, false
+	}
+	m.Method = "exchange.delete"
+	m.IsRequest = true
+	params := getBitParams(args[nextOffset])
+	m.Request = exchange
+	m.Fields = common.MapStr{
+		"exchange":  exchange,
+		"if-unused": params[0],
+		"no-wait":   params[1],
+	}
+	return true, true
+}
+
+//this is a method exclusive to RabbitMQ
+func exchangeBindMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "exchange.bind"
+	err := exchangeBindUnbindInfo(m, args)
+	if err {
+		return false, false
+	}
+	return true, true
+}
+
+//this is a method exclusive to RabbitMQ
+func exchangeUnbindMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "exchange.unbind"
+	err := exchangeBindUnbindInfo(m, args)
+	if err {
+		return false, false
+	}
+	return true, true
+}
+
+func exchangeBindUnbindInfo(m *AmqpMessage, args []byte) bool {
+	destination, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of destination in exchange bind/unbind")
+		return true
+	}
+	source, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of source in exchange bind/unbind")
+		return true
+	}
+	routingKey, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of routing-key in exchange bind/unbind")
+		return true
+	}
+	m.IsRequest = true
+	params := getBitParams(args[offset])
+	m.Request = strings.Join([]string{source, destination}, " ")
+	m.Fields = common.MapStr{
+		"destination": destination,
+		"source":      source,
+		"routing-key": routingKey,
+		"no-wait":     params[0],
+	}
+	if args[offset+1] != FRAME_END_OCTET && m.ParseArguments {
+		arguments := make(common.MapStr)
+		_, err, exists := getTable(arguments, args, offset+1)
+		if !err && exists {
+			m.Fields["arguments"] = arguments
+		} else if err {
+			m.Notes = append(m.Notes, "Failed to parse additional arguments")
+		}
+	}
+	return false
+}
+
+func basicQosMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	prefetchSize := binary.BigEndian.Uint32(args[0:4])
+	prefetchCount := binary.BigEndian.Uint16(args[4:6])
+	params := getBitParams(args[6])
+	m.IsRequest = true
+	m.Method = "basic.qos"
+	m.Fields = common.MapStr{
+		"prefetch-size":  prefetchSize,
+		"prefetch-count": prefetchCount,
+		"global":         params[0],
+	}
+	return true, true
+}
+
+func basicConsumeMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	queue, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of queue in basic consume")
+		return false, false
+	}
+	consumerTag, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Error getting name of consumer tag in basic consume")
+		return false, false
+	}
+	params := getBitParams(args[offset])
+	m.Method = "basic.consume"
+	m.IsRequest = true
+	m.Request = queue
+	m.Fields = common.MapStr{
+		"queue":        queue,
+		"consumer-tag": consumerTag,
+		"no-local":     params[0],
+		"no-ack":       params[1],
+		"exclusive":    params[2],
+		"no-wait":      params[3],
+	}
+	if args[offset+1] != FRAME_END_OCTET && m.ParseArguments {
+		arguments := make(common.MapStr)
+		_, err, exists := getTable(arguments, args, offset+1)
+		if !err && exists {
+			m.Fields["arguments"] = arguments
+		} else if err {
+			m.Notes = append(m.Notes, "Failed to parse additional arguments")
+		}
+	}
+	return true, true
+}
+
+func basicConsumeOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	consumerTag, _, err := getShortString(args, 1, uint32(args[0]))
+	if err {
+		logp.Warn("Error getting name of queue in basic consume")
+		return false, false
+	}
+	m.Method = "basic.consume-ok"
+	m.Fields = common.MapStr{
+		"consumer-tag": consumerTag,
+	}
+	return true, true
+}
+
+func basicCancelMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	consumerTag, offset, err := getShortString(args, 1, uint32(args[0]))
+	if err {
+		logp.Warn("Error getting consumer tag in basic cancel")
+		return false, false
+	}
+	m.Method = "basic.cancel"
+	m.IsRequest = true
+	m.Request = consumerTag
+	params := getBitParams(args[offset])
+	m.Fields = common.MapStr{
+		"consumer-tag": consumerTag,
+		"no-wait":      params[0],
+	}
+	return true, true
+}
+
+func basicCancelOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	consumerTag, _, err := getShortString(args, 1, uint32(args[0]))
+	if err {
+		logp.Warn("Error getting consumer tag in basic cancel ok")
+		return false, false
+	}
+	m.Method = "basic.cancel-ok"
+	m.Fields = common.MapStr{
+		"consumer-tag": consumerTag,
+	}
+	return true, true
+}
+
+func basicPublishMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	exchange, nextOffset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting exchange in basic publish")
+		return false, false
+	}
+	routingKey, nextOffset, err := getShortString(args, nextOffset+1, uint32(args[nextOffset]))
+	if err {
+		logp.Warn("Error getting routing key in basic publish")
+		return false, false
+	}
+	params := getBitParams(args[nextOffset])
+	m.Method = "basic.publish"
+	m.Fields = common.MapStr{
+		"routing-key": routingKey,
+		"mandatory":   params[0],
+		"immediate":   params[1],
+	}
+	// is exchange not default exchange ?
+	if len(exchange) > 0 {
+		m.Fields["exchange"] = exchange
+	}
+	return true, false
+}
+
+func basicReturnMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	code := binary.BigEndian.Uint16(args[0:2])
+	if code < 300 {
+		//not an error or exception ? not interesting
+		return true, false
+	}
+	replyText, nextOffset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Error getting name of reply text in basic return")
+		return false, false
+	}
+	exchange, nextOffset, err := getShortString(args, nextOffset+1, uint32(args[nextOffset]))
+	if err {
+		logp.Warn("Error getting name of exchange in basic return")
+		return false, false
+	}
+	routingKey, nextOffset, err := getShortString(args, nextOffset+1, uint32(args[nextOffset]))
+	if err {
+		logp.Warn("Error getting name of routing key in basic return")
+		return false, false
+	}
+	m.Method = "basic.return"
+	m.Fields = common.MapStr{
+		"exchange":    exchange,
+		"routing-key": routingKey,
+		"reply-code":  code,
+		"reply-text":  replyText,
+	}
+	return true, false
+}
+
+func basicDeliverMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	consumerTag, offset, err := getShortString(args, 1, uint32(args[0]))
+	if err {
+		logp.Warn("Failed to get consumer tag in basic deliver")
+		return false, false
+	}
+	deliveryTag := binary.BigEndian.Uint64(args[offset : offset+8])
+	params := getBitParams(args[offset+8])
+	offset = offset + 9
+	exchange, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Failed to get exchange in basic deliver")
+		return false, false
+	}
+	routingKey, _, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Failed to get routing key in basic deliver")
+		return false, false
+	}
+	m.Method = "basic.deliver"
+	m.Fields = common.MapStr{
+		"consumer-tag": consumerTag,
+		"delivery-tag": deliveryTag,
+		"redelivered":  params[0],
+		"routing-key":  routingKey,
+	}
+	// is exchange not default exchange ?
+	if len(exchange) > 0 {
+		m.Fields["exchange"] = exchange
+	}
+	return true, false
+}
+
+func basicGetMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	queue, offset, err := getShortString(args, 3, uint32(args[2]))
+	if err {
+		logp.Warn("Failed to get queue in basic get method")
+		return false, false
+	}
+	m.Method = "basic.get"
+	params := getBitParams(args[offset])
+	m.IsRequest = true
+	m.Request = queue
+	m.Fields = common.MapStr{
+		"queue":  queue,
+		"no-ack": params[0],
+	}
+	return true, true
+}
+
+func basicGetOkMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	params := getBitParams(args[8])
+	exchange, offset, err := getShortString(args, 10, uint32(args[9]))
+	if err {
+		logp.Warn("Failed to get queue in basic get-ok")
+		return false, false
+	}
+	routingKey, offset, err := getShortString(args, offset+1, uint32(args[offset]))
+	if err {
+		logp.Warn("Failed to get routing key in basic get-ok")
+		return false, false
+	}
+	m.Method = "basic.get-ok"
+	m.Fields = common.MapStr{
+		"delivery-tag":  binary.BigEndian.Uint64(args[0:8]),
+		"redelivered":   params[0],
+		"routing-key":   routingKey,
+		"message-count": binary.BigEndian.Uint32(args[offset : offset+4]),
+	}
+	if len(exchange) > 0 {
+		m.Fields["exchange"] = exchange
+	}
+	return true, false
+}
+
+func basicGetEmptyMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.Method = "basic.get-empty"
+	return true, true
+}
+
+func basicAckMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	params := getBitParams(args[8])
+	m.Method = "basic.ack"
+	m.IsRequest = true
+	m.Fields = common.MapStr{
+		"delivery-tag": binary.BigEndian.Uint64(args[0:8]),
+		"multiple":     params[0],
+	}
+	return true, true
+}
+
+//this is a rabbitMQ specific method
+func basicNackMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	params := getBitParams(args[8])
+	m.Method = "basic.nack"
+	m.IsRequest = true
+	m.Fields = common.MapStr{
+		"delivery-tag": binary.BigEndian.Uint64(args[0:8]),
+		"multiple":     params[0],
+		"requeue":      params[1],
+	}
+	return true, true
+}
+
+func basicRejectMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	params := getBitParams(args[8])
+	tag := binary.BigEndian.Uint64(args[0:8])
+	m.IsRequest = true
+	m.Method = "basic.reject"
+	m.Fields = common.MapStr{
+		"delivery-tag": tag,
+		"multiple":     params[0],
+	}
+	m.Request = strconv.FormatUint(tag, 10)
+	return true, true
+}
+
+func basicRecoverMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	params := getBitParams(args[0])
+	m.IsRequest = true
+	m.Method = "basic.recover"
+	m.Fields = common.MapStr{
+		"requeue": params[0],
+	}
+	return true, true
+}
+
+func txSelectMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.IsRequest = true
+	m.Method = "tx.select"
+	return true, true
+}
+
+func txCommitMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.IsRequest = true
+	m.Method = "tx.commit"
+	return true, true
+}
+
+func txRollbackMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	m.IsRequest = true
+	m.Method = "tx.rollback"
+	return true, true
+}
+
+//simple function used when server/client responds to a sync method with no new info
+func okMethod(m *AmqpMessage, args []byte) (bool, bool) {
+	return true, true
+}
+
+// function to get a short string. It sends back an error if slice is too short
+//for declared length. if length == 0, the function sends back an empty string and
+//advances the offset. Otherwise, it returns the string and the new offset
+func getShortString(data []byte, start uint32, length uint32) (short string, nextOffset uint32, err bool) {
+	if length == 0 {
+		return "", start, false
+	}
+	if uint32(len(data)) < start || uint32(len(data[start:])) < length {
+		return "", 0, true
+	}
+	return string(data[start : start+length]), start + length, false
+}
+
+//function to extract bit information in various AMQP methods
+func getBitParams(bits byte) (ret [5]bool) {
+	if bits&16 == 16 {
+		ret[4] = true
+	}
+	if bits&8 == 8 {
+		ret[3] = true
+	}
+	if bits&4 == 4 {
+		ret[2] = true
+	}
+	if bits&2 == 2 {
+		ret[1] = true
+	}
+	if bits&1 == 1 {
+		ret[0] = true
+	}
+	return ret
+}
diff --git a/packetbeat/protos/amqp/amqp_parser.go b/packetbeat/protos/amqp/amqp_parser.go
new file mode 100644
index 000000000000..01aa9dcee879
--- /dev/null
+++ b/packetbeat/protos/amqp/amqp_parser.go
@@ -0,0 +1,339 @@
+package amqp
+
+import (
+	"encoding/binary"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/beats/packetbeat/procs"
+	"time"
+)
+
+func (amqp *Amqp) amqpMessageParser(s *AmqpStream) (ok bool, complete bool) {
+	for s.parseOffset < len(s.data) {
+
+		if len(s.data[s.parseOffset:]) < 8 {
+			logp.Warn("AMQP message smaller than a frame, waiting for more data")
+			return false, false
+		}
+
+		yes, version := isProtocolHeader(s.data[s.parseOffset:])
+		if yes {
+			debugf("Client header detected, version %d.%d.%d",
+				version[0], version[1], version[2])
+			s.parseOffset += 8
+		}
+
+		f, err := readFrameHeader(s.data[s.parseOffset:])
+		if err {
+			//incorrect header
+			return false, false
+		} else if f == nil {
+			//header not complete
+			return true, false
+		}
+
+		switch f.Type {
+		case METHOD:
+			ok, complete = amqp.decodeMethodFrame(s, f.content)
+		case HEADER:
+			ok = amqp.decodeHeaderFrame(s, f.content)
+		case BODY:
+			ok, complete = s.decodeBodyFrame(f.content)
+		case HEARTBEAT:
+			detailedf("Heartbeat frame received")
+		default:
+			logp.Warn("Received unknown AMQP frame")
+			return false, false
+		}
+
+		// cast should be safe because f.size should not be bigger than tcp.TCP_MAX_DATA_IN_STREAM
+		s.parseOffset += 8 + int(f.size)
+		if !ok {
+			return false, false
+		} else if complete {
+			return true, true
+		}
+	}
+	return ok, complete
+}
+
+func (stream *AmqpStream) PrepareForNewMessage() {
+	stream.message = nil
+}
+
+func isProtocolHeader(data []byte) (isHeader bool, version string) {
+	if (string(data[:4]) == "AMQP") && data[4] == 0 {
+		return true, string(data[5:8])
+	}
+	return false, ""
+}
+
+//func to read a frame header and check if it is valid and complete
+func readFrameHeader(data []byte) (ret *AmqpFrame, err bool) {
+	var frame AmqpFrame
+
+	frame.size = binary.BigEndian.Uint32(data[3:7])
+	if len(data) < int(frame.size)+8 {
+		logp.Warn("Frame shorter than declared size, waiting for more data")
+		return nil, false
+	}
+	if data[frame.size+7] != FRAME_END_OCTET {
+		logp.Warn("Missing frame end octet in frame, discarding it")
+		return nil, true
+	}
+	frame.Type = data[0]
+	frame.channel = binary.BigEndian.Uint16(data[1:3])
+	if frame.size == 0 {
+		//frame content is nil with hearbeat frames
+		frame.content = nil
+	} else {
+		frame.content = data[7 : frame.size+7]
+	}
+	return &frame, false
+}
+
+/*
+The Method Payload, according to official doc :
+0           2           4
++----------+-----------+-------------- - -
+| class-id | method-id | arguments...
++----------+-----------+-------------- - -
+  short       short       ...
+*/
+
+func (amqp *Amqp) decodeMethodFrame(s *AmqpStream, m_data []byte) (bool, bool) {
+	if len(m_data) < 4 {
+		logp.Warn("Method frame too small")
+		return true, false
+	}
+	class := codeClass(binary.BigEndian.Uint16(m_data[0:2]))
+	method := codeMethod(binary.BigEndian.Uint16(m_data[2:4]))
+	arguments := m_data[4:]
+	s.message.ParseArguments = amqp.ParseArguments
+	s.message.Body_size = uint64(len(m_data[4:]))
+
+	debugf("Received frame of class %d and method %d", class, method)
+
+	if function, exists := amqp.MethodMap[class][method]; exists {
+		return function(s.message, arguments)
+	} else {
+		logp.Debug("amqpdetailed", "Received unkown or not supported method")
+		return true, false
+	}
+}
+
+/*
+Structure of a content header, according to official doc :
+0           2        4          12               14
++----------+--------+-----------+----------------+------------- - -
+| class-id | weight | body size | property flags | property list...
++----------+--------+-----------+----------------+------------- - -
+  short      short   long long        short         remainder...
+*/
+
+func (amqp *Amqp) decodeHeaderFrame(s *AmqpStream, h_data []byte) bool {
+	if len(h_data) < 14 {
+		logp.Warn("Header frame too small")
+		return false
+	}
+	s.message.Body_size = binary.BigEndian.Uint64(h_data[4:12])
+	debugf("Received Header frame. A message of %d bytes is expected", s.message.Body_size)
+
+	if amqp.ParseHeaders == true {
+		err := getMessageProperties(s, h_data[12:])
+		if err {
+			return false
+		}
+	}
+	return true
+}
+
+/*
+Structure of a body frame, according to official doc :
++-----------------------+ +-----------+
+| Opaque binary payload | | frame-end |
++-----------------------+ +-----------+
+*/
+
+func (s *AmqpStream) decodeBodyFrame(b_data []byte) (ok bool, complete bool) {
+	s.message.Body = append(s.message.Body, b_data...)
+
+	debugf("A body frame of %d bytes long has been transmitted",
+		len(b_data))
+	//is the message complete ? If yes, let's publish it
+	if uint64(len(s.message.Body)) < s.message.Body_size {
+		return true, false
+	} else {
+		return true, true
+	}
+}
+
+func hasProperty(prop, flag byte) bool {
+	return (prop & flag) == flag
+}
+
+//function to get message content-type and content-encoding
+func getMessageProperties(s *AmqpStream, data []byte) bool {
+	m := s.message
+
+	//properties are coded in the two first bytes
+	prop1 := data[0]
+	prop2 := data[1]
+	var offset uint32 = 2
+
+	//while last bit set, we have another property flag field
+	for lastbit := 1; data[lastbit]&1 == 1; {
+		lastbit += 2
+		offset += 2
+	}
+
+	if hasProperty(prop1, contentTypeProp) {
+		contentType, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get content type in header frame")
+			return true
+		}
+		m.Fields["content-type"] = contentType
+		offset = next
+	}
+
+	if hasProperty(prop1, contentEncodingProp) {
+		contentEncoding, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get content encoding in header frame")
+			return true
+		}
+		m.Fields["content-encoding"] = contentEncoding
+		offset = next
+	}
+
+	if hasProperty(prop1, headersProp) {
+		headers := common.MapStr{}
+		next, err, exists := getTable(headers, data, offset)
+		if !err && exists {
+			m.Fields["headers"] = headers
+		} else if err {
+			logp.Warn("Failed to get headers")
+			return true
+		}
+		offset = next
+	}
+
+	if hasProperty(prop1, deliveryModeProp) {
+		if data[offset] == 1 {
+			m.Fields["delivery-mode"] = "non-persistent"
+		} else if data[offset] == 2 {
+			m.Fields["delivery-mode"] = "persistent"
+		}
+		offset += 1
+	}
+
+	if hasProperty(prop1, priorityProp) {
+		m.Fields["priority"] = data[offset]
+		offset += 1
+	}
+
+	if hasProperty(prop1, correlationIdProp) {
+		correlationId, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get correlation-id in header frame")
+			return true
+		}
+		m.Fields["correlation-id"] = correlationId
+		offset = next
+	}
+
+	if hasProperty(prop1, replyToProp) {
+		replyTo, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get reply-to in header frame")
+			return true
+		}
+		m.Fields["reply-to"] = replyTo
+		offset = next
+	}
+
+	if hasProperty(prop1, expirationProp) {
+		expiration, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get expiration in header frame")
+			return true
+		}
+		m.Fields["expiration"] = expiration
+		offset = next
+	}
+
+	if hasProperty(prop2, messageIdProp) {
+		messageId, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get message id in header frame")
+			return true
+		}
+		m.Fields["message-id"] = messageId
+		offset = next
+	}
+
+	if hasProperty(prop2, timestampProp) {
+		t := time.Unix(int64(binary.BigEndian.Uint64(data[offset:offset+8])), 0)
+		m.Fields["timestamp"] = t.Format(AMQPTIMELAYOUT)
+		offset += 8
+	}
+
+	if hasProperty(prop2, typeProp) {
+		msgType, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get message type in header frame")
+			return true
+		}
+		m.Fields["type"] = msgType
+		offset = next
+	}
+
+	if hasProperty(prop2, userIdProp) {
+		userId, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get user id in header frame")
+			return true
+		}
+		m.Fields["user-id"] = userId
+		offset = next
+	}
+
+	if hasProperty(prop2, appIdProp) {
+		appId, next, err := getShortString(data, offset+1, uint32(data[offset]))
+		if err {
+			logp.Warn("Failed to get app-id in header frame")
+			return true
+		}
+		m.Fields["app-id"] = appId
+		offset = next
+	}
+	return false
+}
+
+func (amqp *Amqp) handleAmqp(m *AmqpMessage, tcptuple *common.TcpTuple, dir uint8) {
+	if amqp.mustHideCloseMethod(m) {
+		return
+	}
+	debugf("A message is ready to be handled")
+	m.TcpTuple = *tcptuple
+	m.Direction = dir
+	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())
+
+	if m.Method == "basic.publish" {
+		amqp.handlePublishing(m)
+	} else if m.Method == "basic.deliver" || m.Method == "basic.return" ||
+		m.Method == "basic.get-ok" {
+		amqp.handleDelivering(m)
+	} else if m.IsRequest == true {
+		amqp.handleAmqpRequest(m)
+	} else if m.IsRequest == false {
+		amqp.handleAmqpResponse(m)
+	}
+}
+
+func (amqp *Amqp) mustHideCloseMethod(m *AmqpMessage) bool {
+	return amqp.HideConnectionInformation == true &&
+		(m.Method == "connection.close" || m.Method == "channel.close") &&
+		getReplyCode(m.Fields) < uint16(300)
+}
diff --git a/packetbeat/protos/amqp/amqp_structs.go b/packetbeat/protos/amqp/amqp_structs.go
new file mode 100644
index 000000000000..5cecdb554857
--- /dev/null
+++ b/packetbeat/protos/amqp/amqp_structs.go
@@ -0,0 +1,227 @@
+package amqp
+
+import (
+	"github.com/elastic/beats/libbeat/common"
+	"time"
+)
+
+type AmqpMethod func(*AmqpMessage, []byte) (bool, bool)
+
+const (
+	TransactionsHashSize = 2 ^ 16
+	TransactionTimeout   = 10 * 1e9
+)
+
+//layout used when a timestamp must be parsed
+const (
+	AMQPTIMELAYOUT = "January _2 15:04:05 2006"
+)
+
+//Frame types and codes
+const (
+	METHOD    = 1
+	HEADER    = 2
+	BODY      = 3
+	HEARTBEAT = 8
+)
+
+const (
+	FRAME_END_OCTET byte = 206
+)
+
+//Codes for MethodMap
+type codeClass uint16
+
+const (
+	connectionCode codeClass = 10
+	channelCode    codeClass = 20
+	exchangeCode   codeClass = 40
+	queueCode      codeClass = 50
+	basicCode      codeClass = 60
+	txCode         codeClass = 90
+)
+
+type codeMethod uint16
+
+const (
+	connectionStart   codeMethod = 10
+	connectionStartOk codeMethod = 11
+	connectionTune    codeMethod = 30
+	connectionTuneOk  codeMethod = 31
+	connectionOpen    codeMethod = 40
+	connectionOpenOk  codeMethod = 41
+	connectionClose   codeMethod = 50
+	connectionCloseOk codeMethod = 51
+)
+
+const (
+	channelOpen    codeMethod = 10
+	channelOpenOk  codeMethod = 11
+	channelFlow    codeMethod = 20
+	channelFlowOk  codeMethod = 21
+	channelClose   codeMethod = 40
+	channelCloseOk codeMethod = 41
+)
+
+const (
+	exchangeDeclare   codeMethod = 10
+	exchangeDeclareOk codeMethod = 11
+	exchangeDelete    codeMethod = 20
+	exchangeDeleteOk  codeMethod = 21
+	exchangeBind      codeMethod = 30
+	exchangeBindOk    codeMethod = 31
+	exchangeUnbind    codeMethod = 40
+	exchangeUnbindOk  codeMethod = 51
+)
+
+const (
+	queueDeclare   codeMethod = 10
+	queueDeclareOk codeMethod = 11
+	queueBind      codeMethod = 20
+	queueBindOk    codeMethod = 21
+	queuePurge     codeMethod = 30
+	queuePurgeOk   codeMethod = 31
+	queueDelete    codeMethod = 40
+	queueDeleteOk  codeMethod = 41
+	queueUnbind    codeMethod = 50
+	queueUnbindOk  codeMethod = 51
+)
+
+const (
+	basicQos       codeMethod = 10
+	basicQosOk     codeMethod = 11
+	basicConsume   codeMethod = 20
+	basicConsumeOk codeMethod = 21
+	basicCancel    codeMethod = 30
+	basicCancelOk  codeMethod = 31
+	basicPublish   codeMethod = 40
+	basicReturn    codeMethod = 50
+	basicDeliver   codeMethod = 60
+	basicGet       codeMethod = 70
+	basicGetOk     codeMethod = 71
+	basicGetEmpty  codeMethod = 72
+	basicAck       codeMethod = 80
+	basicReject    codeMethod = 90
+	basicRecover   codeMethod = 110
+	basicRecoverOk codeMethod = 111
+	basicNack      codeMethod = 120
+)
+
+const (
+	txSelect     codeMethod = 10
+	txSelectOk   codeMethod = 11
+	txCommit     codeMethod = 20
+	txCommitOk   codeMethod = 21
+	txRollback   codeMethod = 30
+	txRollbackOk codeMethod = 31
+)
+
+//Message properties codes for byte prop1 in getMessageProperties
+const (
+	expirationProp      byte = 1
+	replyToProp         byte = 2
+	correlationIdProp   byte = 4
+	priorityProp        byte = 8
+	deliveryModeProp    byte = 16
+	headersProp         byte = 32
+	contentEncodingProp byte = 64
+	contentTypeProp     byte = 128
+)
+
+//Message properties codes for byte prop2 in getMessageProperties
+
+const (
+	appIdProp     byte = 8
+	userIdProp    byte = 16
+	typeProp      byte = 32
+	timestampProp byte = 64
+	messageIdProp byte = 128
+)
+
+//table types
+const (
+	boolean        = 't'
+	shortShortInt  = 'b'
+	shortShortUint = 'B'
+	shortInt       = 'U'
+	shortUint      = 'u'
+	longInt        = 'I'
+	longUint       = 'i'
+	longLongInt    = 'L'
+	longLongUint   = 'l'
+	float          = 'f'
+	double         = 'd'
+	decimal        = 'D'
+	shortString    = 's'
+	longString     = 'S'
+	fieldArray     = 'A'
+	timestamp      = 'T'
+	fieldTable     = 'F'
+	noField        = 'V'
+	byteArray      = 'x' //rabbitMQ specific field
+)
+
+type amqpPrivateData struct {
+	Data [2]*AmqpStream
+}
+
+type AmqpFrame struct {
+	Type    byte
+	channel uint16
+	size    uint32
+	content []byte
+}
+
+type AmqpMessage struct {
+	Ts             time.Time
+	TcpTuple       common.TcpTuple
+	CmdlineTuple   *common.CmdlineTuple
+	Method         string
+	IsRequest      bool
+	Request        string
+	Direction      uint8
+	ParseArguments bool
+
+	//mapstr containing all the options for the methods and header fields
+	Fields common.MapStr
+
+	Body      []byte
+	Body_size uint64
+
+	Notes []string
+}
+
+// represent a stream of data to be parsed
+type AmqpStream struct {
+	tcptuple *common.TcpTuple
+
+	data        []byte
+	parseOffset int
+
+	message *AmqpMessage
+}
+
+// contains the result of parsing
+type AmqpTransaction struct {
+	Type  string
+	tuple common.TcpTuple
+	Src   common.Endpoint
+	Dst   common.Endpoint
+	Ts    int64
+	JsTs  time.Time
+	ts    time.Time
+
+	Method       string
+	Request      string
+	Response     string
+	ResponseTime int32
+	Body         []byte
+	BytesOut     uint64
+	BytesIn      uint64
+	ToString     bool
+	Notes        []string
+
+	Amqp common.MapStr
+
+	timer *time.Timer
+}
diff --git a/packetbeat/protos/amqp/amqp_test.go b/packetbeat/protos/amqp/amqp_test.go
new file mode 100644
index 000000000000..6c6f167fc13d
--- /dev/null
+++ b/packetbeat/protos/amqp/amqp_test.go
@@ -0,0 +1,1192 @@
+package amqp
+
+import (
+	"encoding/hex"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/beats/packetbeat/protos"
+	"github.com/elastic/beats/packetbeat/publish"
+	"github.com/stretchr/testify/assert"
+	"net"
+	"testing"
+)
+
+func AmqpModForTests() *Amqp {
+	var amqp Amqp
+	results := &publish.ChanTransactions{make(chan common.MapStr, 10)}
+	amqp.Init(true, results)
+	return &amqp
+}
+
+func testTcpTuple() *common.TcpTuple {
+	t := &common.TcpTuple{
+		Ip_length: 4,
+		Src_ip:    net.IPv4(192, 168, 0, 1), Dst_ip: net.IPv4(192, 168, 0, 2),
+		Src_port: 6512, Dst_port: 3306,
+	}
+	t.ComputeHashebles()
+	return t
+}
+
+func expectTransaction(t *testing.T, amqp *Amqp) common.MapStr {
+	client := amqp.results.(*publish.ChanTransactions)
+	select {
+	case trans := <-client.Channel:
+		return trans
+	default:
+		t.Error("No transaction")
+	}
+	return nil
+}
+
+func TestAmqp_UnknownMethod(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("0100010000000f006e000c0000075465737447657401ce")
+	assert.Nil(t, err)
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if complete {
+		t.Errorf("Message should not be complete")
+	}
+}
+
+func TestAmqp_FrameSize(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	//incomplete frame
+	data, err := hex.DecodeString("0100000000000c000a001fffff000200")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing should not raise an error")
+	}
+	if complete {
+		t.Errorf("message should not be complete")
+	}
+
+	//ok size
+	data, err = hex.DecodeString("0100000000000c000a001fffff00020000000ace")
+	assert.Nil(t, err)
+	stream = &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete = amqp.amqpMessageParser(stream)
+	if !ok {
+		t.Errorf("Parsing should be ok")
+	}
+	if complete {
+		t.Errorf("message should not be complete")
+	}
+}
+
+func TestAmqp_WrongShortStringSize(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("02000100000019003c000000000000000000058000ac" +
+		"746578742f706c61696ece")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, _ := amqp.amqpMessageParser(stream)
+
+	if ok {
+		t.Errorf("Parsing failed to detect error")
+	}
+}
+
+func TestAmqp_QueueDeclaration(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("0100010000001a0032000a00000e5468697320697" +
+		"3206120544553541800000000ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+
+	m := stream.message
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "This is a TEST", m.Fields["queue"])
+	assert.Equal(t, false, m.Fields["passive"])
+	assert.Equal(t, false, m.Fields["durable"])
+	assert.Equal(t, false, m.Fields["exclusive"])
+	assert.Equal(t, true, m.Fields["auto-delete"])
+	assert.Equal(t, true, m.Fields["no-wait"])
+	_, exists := m.Fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Arguments field should not be present")
+	}
+}
+
+func TestAmqp_ExchangeDeclaration(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("0100010000001c0028000a00000a6c6f67735f746f7" +
+		"0696305746f7069630200000000ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+
+	m := stream.message
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "exchange.declare", m.Method)
+	assert.Equal(t, "logs_topic", m.Fields["exchange"])
+	assert.Equal(t, "logs_topic", m.Request)
+	assert.Equal(t, true, m.Fields["durable"])
+	assert.Equal(t, false, m.Fields["passive"])
+	assert.Equal(t, false, m.Fields["no-wait"])
+	assert.Equal(t, "topic", m.Fields["exchange-type"])
+	_, exists := m.Fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Arguments field should not be present")
+	}
+}
+
+func TestAmqp_BasicConsume(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("01000100000028003c001400000e4957616e74" +
+		"546f436f6e73756d650d6d6973746572436f6e73756d650300000000ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+
+	m := stream.message
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "basic.consume", m.Method)
+	assert.Equal(t, "IWantToConsume", m.Fields["queue"])
+	assert.Equal(t, "misterConsume", m.Fields["consumer-tag"])
+	assert.Equal(t, true, m.Fields["no-ack"])
+	assert.Equal(t, false, m.Fields["exclusive"])
+	assert.Equal(t, true, m.Fields["no-local"])
+	assert.Equal(t, false, m.Fields["no-wait"])
+	_, exists := m.Fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Arguments field should not be present")
+	}
+}
+
+func TestAmqp_ExchangeDeletion(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("010001000000100028001400000844656c65746" +
+		"54d6501ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+
+	m := stream.message
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "exchange.delete", m.Method)
+	assert.Equal(t, "DeleteMe", m.Fields["exchange"])
+	assert.Equal(t, "DeleteMe", m.Request)
+	assert.Equal(t, true, m.Fields["if-unused"])
+	assert.Equal(t, false, m.Fields["no-wait"])
+}
+
+//this method is exclusive to RabbitMQ
+func TestAmqp_ExchangeBind(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("0100010000001c0028001e0000057465737431" +
+		"057465737432044d5346540000000000ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+
+	m := stream.message
+	ok, complete := amqp.amqpMessageParser(stream)
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "exchange.bind", m.Method)
+	assert.Equal(t, "test1", m.Fields["destination"])
+	assert.Equal(t, "test2", m.Fields["source"])
+	assert.Equal(t, "MSFT", m.Fields["routing-key"])
+	assert.Equal(t, "test2 test1", m.Request)
+	assert.Equal(t, false, m.Fields["no-wait"])
+	_, exists := m.Fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Arguments field should not be present")
+	}
+}
+
+//this method is exclusive to RabbitMQ
+func TestAmqp_ExchangeUnbindTransaction(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("0100010000001c00280028000005746573743105" +
+		"7465737432044d5346540000000000ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("0100010000000400280033ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 1, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "exchange.unbind", trans["method"])
+	assert.Equal(t, "exchange.unbind test2 test1", trans["request"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "test1", fields["destination"])
+	assert.Equal(t, "test2", fields["source"])
+	assert.Equal(t, "MSFT", fields["routing-key"])
+	assert.Equal(t, false, fields["no-wait"])
+
+}
+
+func TestAmqp_PublishMessage(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("0100010000001b003c002800000a6c6f67735f746f70" +
+		"696308414d51507465737400ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("02000100000019003c0000000000000000001c800" +
+		"00a746578742f706c61696ece")
+	assert.Nil(t, err)
+	data3, err := hex.DecodeString("0300010000001c48656c6c6f204461726c696e67" +
+		"2049276d20686f6d6520616761696ece")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+
+	//method frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	//header frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data3}
+	//body frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans := expectTransaction(t, amqp)
+
+	body := "Hello Darling I'm home again"
+
+	assert.Equal(t, "basic.publish", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, body, trans["request"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "text/plain", fields["content-type"])
+	assert.Equal(t, "logs_topic", fields["exchange"])
+	assert.Equal(t, "AMQPtest", fields["routing-key"])
+	assert.Equal(t, false, fields["immediate"])
+	assert.Equal(t, false, fields["mandatory"])
+}
+
+func TestAmqp_DeliverMessage(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendResponse = true
+
+	data, err := hex.DecodeString("01000100000034003c003c0d6d6973746572436f6e73" +
+		"756d650000000000000002000c7465737445786368616e67650b7465737444656c697" +
+		"66572ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("02000100000019003c000000000000000000058" +
+		"0000a746578742f706c61696ece")
+	assert.Nil(t, err)
+	data3, err := hex.DecodeString("030001000000056b696b6f6fce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+
+	//method frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	//header frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data3}
+	//body frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans := expectTransaction(t, amqp)
+
+	assert.Equal(t, "basic.deliver", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, "kikoo", trans["response"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "misterConsume", fields["consumer-tag"])
+	assert.Equal(t, "text/plain", fields["content-type"])
+	assert.Equal(t, "testDeliver", fields["routing-key"])
+	assert.Equal(t, false, fields["redelivered"])
+}
+
+func TestAmqp_MessagePropertiesFields(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendResponse = true
+
+	data, err := hex.DecodeString("01000100000013003c00280000000a546573744865" +
+		"6164657200ce02000100000061003c0000000000000000001ab8e00a746578742f706c" +
+		"61696e0000002203796f70530000000468696869036e696c56066e756d626572644044" +
+		"40000000000002060a656c206d656e73616a650000000055f81dc00c6c6f7665206d65" +
+		"7373616765ce0300010000001a5465737420686561646572206669656c647320666f72" +
+		"65766572ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "basic.publish", m.Method)
+	assert.Equal(t, "persistent", m.Fields["delivery-mode"])
+	assert.Equal(t, "el mensaje", m.Fields["message-id"])
+	assert.Equal(t, "love message", m.Fields["type"])
+	assert.Equal(t, "text/plain", m.Fields["content-type"])
+	//assert.Equal(t, "September 15 15:31:44 2015", m.Fields["timestamp"])
+	priority, ok := m.Fields["priority"].(uint8)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && priority != 6 {
+		t.Errorf("Wrong argument")
+	}
+	headers, ok := m.Fields["headers"].(common.MapStr)
+	if !ok {
+		t.Errorf("Headers should be present")
+	}
+	assert.Equal(t, "hihi", headers["yop"])
+	assert.Equal(t, nil, headers["nil"])
+	assert.Equal(t, 40.5, headers["number"])
+
+}
+
+func TestAmqp_ChannelError(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data1, err := hex.DecodeString("0100010000009000140028019685505245434f4e444" +
+		"954494f4e5f4641494c4544202d20696e6571756976616c656e74206172672027617574" +
+		"6f5f64656c6574652720666f722065786368616e676520277465737445786368616e676" +
+		"52720696e2076686f737420272f273a207265636569766564202774727565272062757" +
+		"42063757272656e74206973202766616c7365270028000ace")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data1, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "channel.close", m.Method)
+	class, ok := m.Fields["class-id"].(uint16)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && class != 40 {
+		t.Errorf("Wrong argument")
+	}
+	method, ok := m.Fields["method-id"].(uint16)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && method != 10 {
+		t.Errorf("Wrong argument")
+	}
+	code, ok := m.Fields["reply-code"].(uint16)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && code != 406 {
+		t.Errorf("Wrong argument")
+	}
+	text := "PRECONDITION_FAILED - inequivalent arg 'auto_delete' for" +
+		" exchange 'testExchange' in vhost '/': received 'true' but current is " +
+		"'false'"
+	assert.Equal(t, text, m.Fields["reply-text"])
+}
+
+func TestAmqp_NoWaitQueueDeleteMethod(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("010001000000120032002800000a546573745468" +
+		"6f6d617304ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans := expectTransaction(t, amqp)
+
+	assert.Equal(t, "queue.delete", trans["method"])
+	assert.Equal(t, "queue.delete TestThomas", trans["request"])
+	assert.Equal(t, "amqp", trans["type"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, true, fields["no-wait"])
+	assert.Equal(t, false, fields["if-empty"])
+	assert.Equal(t, false, fields["if-unused"])
+	assert.Equal(t, "TestThomas", fields["queue"])
+}
+
+func TestAmqp_RejectMessage(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("0100010000000d003c005a000000000000000101ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+
+	//method frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans := expectTransaction(t, amqp)
+
+	assert.Equal(t, "basic.reject", trans["method"])
+	assert.Equal(t, "basic.reject 1", trans["request"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.ERROR_STATUS, trans["status"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, true, fields["multiple"])
+}
+
+func TestAmqp_GetEmptyMethod(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("01000100000013003c004600000b526f626269" +
+		"654b65616e6501ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("01000100000005003c004800ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 1, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "basic.get-empty", trans["method"])
+	assert.Equal(t, "basic.get RobbieKeane", trans["request"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+}
+
+func TestAmqp_GetMethod(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+	amqp.SendResponse = true
+
+	data, err := hex.DecodeString("0100010000000f003c0046000007546573744" +
+		"7657401ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("0100010000001a003c00470000000000000001" +
+		"0000075465737447657400000001ce02000100000019003c000000000000000000" +
+		"1280000a746578742f706c61696ece03000100000012476574206d6520696620796" +
+		"f752064617265ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 1, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "basic.get", trans["method"])
+	assert.Equal(t, "basic.get TestGet", trans["request"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	assert.Equal(t, "Get me if you dare", trans["response"])
+}
+
+func TestAmqp_MaxBodyLength(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.MaxBodyLength = 10
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("01000100000010003c002800000007546573744d617" +
+		"800ce02000100000019003c0000000000000000001680000a746578742f706c61696ece" +
+		"0300010000001649276d2061207665727920626967206d657373616765ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+
+	//method frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans := expectTransaction(t, amqp)
+
+	assert.Equal(t, "basic.publish", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, "I'm a very [...]", trans["request"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "text/plain", fields["content-type"])
+	assert.Equal(t, "TestMax", fields["routing-key"])
+	assert.Equal(t, false, fields["immediate"])
+	assert.Equal(t, false, fields["mandatory"])
+	_, exists := fields["exchange"]
+	assert.False(t, exists)
+
+	data, err = hex.DecodeString("01000100000010003c002800000007546573744d6" +
+		"17800ce02000100000018003c0000000000000000003a800009696d6167652f676966" +
+		"ce0300010000003a41414141414141414141414141414141414141414141414141414141" +
+		"414141414141414141414141414141414141414141414141414141414141ce")
+	assert.Nil(t, err)
+
+	tcptuple = testTcpTuple()
+
+	req = protos.Packet{Payload: data}
+	private = protos.ProtocolData(new(amqpPrivateData))
+
+	//method frame
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans = expectTransaction(t, amqp)
+
+	assert.Equal(t, "basic.publish", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, "65 65 65 65 65 65 65 65 65 65 [...]", trans["request"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	fields, ok = trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "image/gif", fields["content-type"])
+	assert.Equal(t, "TestMax", fields["routing-key"])
+	assert.Equal(t, false, fields["immediate"])
+	assert.Equal(t, false, fields["mandatory"])
+	_, exists = fields["exchange"]
+	assert.False(t, exists)
+}
+
+func TestAmqp_HideArguments(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+	amqp.ParseHeaders = false
+	amqp.ParseArguments = false
+
+	//parse args
+	data, err := hex.DecodeString("0100010000004d0032000a00000a5465737448656164" +
+		"6572180000003704626f6f6c74010362697462050568656c6c6f530000001f4869206461" +
+		"726c696e6720c3aac3aac3aac3aac3aac3aac3aae697a5e69cacce")
+	assert.Nil(t, err)
+	tcptuple := testTcpTuple()
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "queue.declare", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, "queue.declare TestHeader", trans["request"])
+	fields, ok := trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, false, fields["durable"])
+	assert.Equal(t, true, fields["auto-delete"])
+	_, exists := fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Arguments field should not be present")
+	}
+
+	//parse headers
+	data, err = hex.DecodeString("01000100000013003c00280000000a546573744865616" +
+		"4657200ce02000100000026003c0000000000000000001a98800a746578742f706c61696" +
+		"e02060a656c206d656e73616a65ce0300010000001a54657374206865616465722066696" +
+		"56c647320666f7265766572ce")
+	assert.Nil(t, err)
+	tcptuple = testTcpTuple()
+	req = protos.Packet{Payload: data}
+	private = protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	trans = expectTransaction(t, amqp)
+	assert.Equal(t, "basic.publish", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	fields, ok = trans["amqp"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "TestHeader", fields["routing-key"])
+	_, exists = fields["exchange"]
+	assert.False(t, exists)
+	assert.Equal(t, false, fields["mandatory"])
+	assert.Equal(t, false, fields["immediate"])
+	assert.Equal(t, nil, fields["message-id"])
+	assert.Equal(t, nil, fields["content-type"])
+	assert.Equal(t, nil, fields["delivery-mode"])
+	assert.Equal(t, nil, fields["priority"])
+}
+
+func TestAmqp_RecoverMethod(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+
+	data, err := hex.DecodeString("01000100000005003c006e01ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("01000100000004003c006fce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 1, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "basic.recover", trans["method"])
+	assert.Equal(t, "basic.recover", trans["request"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	assert.Equal(t, common.MapStr{"requeue": true}, trans["amqp"])
+}
+
+//this is a specific rabbitMQ method
+func TestAmqp_BasicNack(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data1, err := hex.DecodeString("0100010000000d003c0078000000000000000102ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data1, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "basic.nack", m.Method)
+	assert.Equal(t, false, m.Fields["multiple"])
+	assert.Equal(t, true, m.Fields["requeue"])
+}
+
+func TestAmqp_GetTable(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("010001000000890032000a00000a5465737448656164" +
+		"657218000000730974696d657374616d70540000000055f7e40903626974620507646563" +
+		"696d616c440500ec49050568656c6c6f530000001f4869206461726c696e6720c3aac3aa" +
+		"c3aac3aac3aac3aac3aae697a5e69cac06646f75626c656440453e100cbd7da405666c6f" +
+		"6174664124cccd04626f6f6c7401ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	args, ok := m.Fields["arguments"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	double, ok := args["double"].(float64)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && double != 42.4848648 {
+		t.Errorf("Wrong argument")
+	}
+
+	float, ok := args["float"].(float32)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && float != 10.3 {
+		t.Errorf("Wrong argument")
+	}
+
+	argByte, ok := args["bit"].(int8)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && argByte != 5 {
+		t.Errorf("Wrong argument")
+	}
+
+	assert.Equal(t, "Hi darling êêêêêêê日本", args["hello"])
+	assert.Equal(t, true, args["bool"])
+	assert.Equal(t, "154.85189", args["decimal"])
+	assert.Equal(t, "queue.declare", m.Method)
+	assert.Equal(t, false, m.Fields["durable"])
+	assert.Equal(t, true, m.Fields["no-wait"])
+	assert.Equal(t, true, m.Fields["auto-delete"])
+	assert.Equal(t, false, m.Fields["exclusive"])
+	//assert.Equal(t, "September 15 11:25:29 2015", args["timestamp"])
+	assert.Equal(t, "TestHeader", m.Request)
+}
+
+func TestAmqp_TableInception(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("010001000000860028000a000005746573743105" +
+		"746f706963020000006f09696e63657074696f6e460000005006696e636570315300" +
+		"000006445245414d5306696e6365703253000000064d4152494f4e056c696d626f46" +
+		"00000021066c696d626f315300000004436f6262066c696d626f3253000000055361" +
+		"69746f06626967496e746c00071afd498d0000ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	assert.Equal(t, "exchange.declare", m.Method)
+	assert.Equal(t, "test1", m.Fields["exchange"])
+
+	args, ok := m.Fields["arguments"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Nil(t, m.Notes)
+
+	bigInt, ok := args["bigInt"].(uint64)
+	if !ok {
+		t.Errorf("Field should be present")
+	} else if ok && bigInt != 2000000000000000 {
+		t.Errorf("Wrong argument")
+	}
+	inception, ok := args["inception"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "DREAMS", inception["incep1"])
+	assert.Equal(t, "MARION", inception["incep2"])
+
+	limbo, ok := inception["limbo"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "Cobb", limbo["limbo1"])
+	assert.Equal(t, "Saito", limbo["limbo2"])
+}
+
+func TestAmqp_ArrayFields(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	//byte array, rabbitMQ specific field
+	data, err := hex.DecodeString("010001000000260028000a0000057465737431057" +
+		"46f706963020000000f05617272617978000000040a007dd2ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	args, ok := m.Fields["arguments"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Nil(t, m.Notes)
+	assert.Equal(t, "[10, 0, 125, 210]", args["array"])
+
+	data, err = hex.DecodeString("010001000000b60028000a000005746573743105746" +
+		"f706963020000009f0474657374530000001061206c6f74206f6620617272617973210a" +
+		"6172726179666c6f6174410000001b64404540000000000064403ccccccccccccd64404" +
+		"0a66666666666096172726179626f6f6c410000000a740174007400740174010b617272" +
+		"6179737472696e674100000030530000000441414141530000000442424242530000001" +
+		"9d090d0bdd0bdd0b020d09ad0b0d180d0b5d0bdd0b8d0bdd0b0ce")
+	assert.Nil(t, err)
+
+	stream = &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete = amqp.amqpMessageParser(stream)
+	m = stream.message
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	args, ok = m.Fields["arguments"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+
+	assert.Equal(t, "a lot of arrays!", args["test"])
+	arrayFloat, ok := args["arrayfloat"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, 42.5, arrayFloat["0"])
+	assert.Equal(t, 28.8, arrayFloat["1"])
+	assert.Equal(t, 33.3, arrayFloat["2"])
+
+	arrayBool, ok := args["arraybool"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, true, arrayBool["0"])
+	assert.Equal(t, false, arrayBool["1"])
+	assert.Equal(t, false, arrayBool["2"])
+	assert.Equal(t, true, arrayBool["3"])
+	assert.Equal(t, true, arrayBool["4"])
+
+	arrayString, ok := args["arraystring"].(common.MapStr)
+	if !ok {
+		t.Errorf("Field should be present")
+	}
+	assert.Equal(t, "AAAA", arrayString["0"])
+	assert.Equal(t, "BBBB", arrayString["1"])
+	assert.Equal(t, "Анна Каренина", arrayString["2"])
+}
+
+func TestAmqp_WrongTable(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	//declared table size too big
+	data, err := hex.DecodeString("010001000000890032000a00000a54657374486561646" +
+		"57218000000da0974696d657374616d70540000000055f7e409036269746205076465636" +
+		"96d616c440500ec49050568656c6c6f530000001f4869206461726c696e6720c3aac3aac" +
+		"3aac3aac3aac3aac3aae697a5e69cac06646f75626c656440453e100cbd7da405666c6f6" +
+		"174664124cccd04626f6f6c7401ce")
+	assert.Nil(t, err)
+
+	stream := &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete := amqp.amqpMessageParser(stream)
+	m := stream.message
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	_, exists := m.Fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Field should not exist")
+	}
+	assert.Equal(t, []string{"Failed to parse additional arguments"}, m.Notes)
+
+	//table size ok, but total non-sense inside
+	data, err = hex.DecodeString("010001000000890032000a00000a54657374486561646" +
+		"57218000000730974696d657374616d7054004400005521e409036269743705076400036" +
+		"96d616c447600ec49180568036c6c0b536400001f480a2064076e6c696e0520c3aac3aac" +
+		"34613aac3aac3aa01aae697a5e69cac3c780b75626c6564a4453e100cbd7da4320a6c0b0" +
+		"90b664124cc1904626f6f6c7401ce")
+	assert.Nil(t, err)
+
+	stream = &AmqpStream{data: data, message: new(AmqpMessage)}
+	ok, complete = amqp.amqpMessageParser(stream)
+	m = stream.message
+	if !ok {
+		t.Errorf("Parsing returned error")
+	}
+	if !complete {
+		t.Errorf("Message should be complete")
+	}
+	_, exists = m.Fields["arguments"].(common.MapStr)
+	if exists {
+		t.Errorf("Field should not exist")
+	}
+	assert.Equal(t, []string{"Failed to parse additional arguments"}, m.Notes)
+}
+
+func TestAmqp_isError(t *testing.T) {
+	trans := &AmqpTransaction{
+		Method: "channel.close",
+		Amqp: common.MapStr{
+			"reply-code": 200,
+		},
+	}
+	assert.Equal(t, false, isError(trans))
+	trans.Amqp["reply-code"] = uint16(300)
+	assert.Equal(t, true, isError(trans))
+	trans.Amqp["reply-code"] = uint16(403)
+	assert.Equal(t, true, isError(trans))
+	trans.Method = "basic.reject"
+	assert.Equal(t, true, isError(trans))
+	trans.Method = "basic.return"
+	assert.Equal(t, true, isError(trans))
+	trans.Method = "basic.publish"
+	assert.Equal(t, false, isError(trans))
+}
+
+func TestAmqp_ChannelCloseErrorMethod(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+
+	data, err := hex.DecodeString("0100010000009000140028019685505245434f4e444" +
+		"954494f4e5f4641494c4544202d20696e6571756976616c656e74206172672027617574" +
+		"6f5f64656c6574652720666f722065786368616e676520277465737445786368616e676" +
+		"52720696e2076686f737420272f273a207265636569766564202774727565272062757" +
+		"42063757272656e74206973202766616c7365270028000ace")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("0100010000000400280033ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 1, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "channel.close", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.ERROR_STATUS, trans["status"])
+	assert.Nil(t, trans["notes"])
+}
+
+func TestAmqp_ConnectionCloseNoError(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.HideConnectionInformation = false
+
+	data, err := hex.DecodeString("01000000000012000a003200c8076b74687862616900000000ce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("01000000000004000a0033ce")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 1, private)
+
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "connection.close", trans["method"])
+	assert.Equal(t, "amqp", trans["type"])
+	assert.Equal(t, common.OK_STATUS, trans["status"])
+	assert.Nil(t, trans["notes"])
+
+	fields, ok := trans["amqp"].(common.MapStr)
+	assert.True(t, ok)
+	code, ok := fields["reply-code"].(uint16)
+	assert.True(t, ok)
+	assert.Equal(t, uint16(200), code)
+}
+
+func TestAmqp_MultipleBodyFrames(t *testing.T) {
+	if testing.Verbose() {
+		logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"amqp", "amqpdetailed"})
+	}
+
+	amqp := AmqpModForTests()
+	amqp.SendRequest = true
+	data, err := hex.DecodeString("0100010000000e003c00280000000568656c6c6f00ce" +
+		"02000100000021003c0000000000000000002a80400a746578742f706c61696e00000000" +
+		"56a22873ce030001000000202a2a2a68656c6c6f2049206c696b6520746f207075626c69" +
+		"736820626967206dce")
+	assert.Nil(t, err)
+	data2, err := hex.DecodeString("0300010000000a657373616765732a2a2ace")
+	assert.Nil(t, err)
+
+	tcptuple := testTcpTuple()
+	req := protos.Packet{Payload: data}
+	private := protos.ProtocolData(new(amqpPrivateData))
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	req = protos.Packet{Payload: data2}
+	private = amqp.Parse(&req, tcptuple, 0, private)
+	trans := expectTransaction(t, amqp)
+	assert.Equal(t, "basic.publish", trans["method"])
+	assert.Equal(t, "***hello I like to publish big messages***", trans["request"])
+}
diff --git a/packetbeat/protos/protos.go b/packetbeat/protos/protos.go
index 95202f88f33b..3362cecfcb2a 100644
--- a/packetbeat/protos/protos.go
+++ b/packetbeat/protos/protos.go
@@ -99,6 +99,7 @@ type Protocol uint16
 // Protocol constants.
 const (
 	UnknownProtocol Protocol = iota
+	AmqpProtocol
 	HttpProtocol
 	MysqlProtocol
 	RedisProtocol
@@ -112,6 +113,7 @@ const (
 // Protocol names
 var ProtocolNames = []string{
 	"unknown",
+	"amqp",
 	"http",
 	"mysql",
 	"redis",
diff --git a/packetbeat/tests/system/config/packetbeat.yml.j2 b/packetbeat/tests/system/config/packetbeat.yml.j2
index d0322f7f3b24..fb10e58930d8 100644
--- a/packetbeat/tests/system/config/packetbeat.yml.j2
+++ b/packetbeat/tests/system/config/packetbeat.yml.j2
@@ -55,6 +55,11 @@ protocols:
 {% if dns_send_request %}    send_request: true{% endif %}
 {% if dns_send_response %}    send_response: true{% endif %}
 
+  amqp:
+    ports: [{{ amqp_ports|default([5672])|join(", ") }}]
+{% if amqp_send_request %}    send_request: true{% endif %}
+{% if amqp_send_response %}    send_response: true{% endif %}
+
   http:
     ports: [{{ http_ports|default([80])|join(", ") }}]
 {% if http_send_request %}    send_request: true{% endif %}
diff --git a/packetbeat/tests/system/packetbeat.py b/packetbeat/tests/system/packetbeat.py
index 7dd7b51649b7..3c194fa3c6cc 100644
--- a/packetbeat/tests/system/packetbeat.py
+++ b/packetbeat/tests/system/packetbeat.py
@@ -15,16 +15,25 @@ class BaseTest(TestCase):
     @classmethod
     def setUpClass(self):
         self.beat_name = "packetbeat"
+<<<<<<< HEAD
         super(BaseTest, self).setUpClass()
 
+=======
+        self.build_path = "../../build/system-tests/"
+        self.beat_path = "../../packetbeat.test"
+>>>>>>> amqp protocol
 
     def run_packetbeat(self, pcap,
                        cmd="../../packetbeat.test",
                        config="packetbeat.yml",
                        output="packetbeat.log",
                        extra_args=[],
+<<<<<<< HEAD
                        debug_selectors=[],
                        exit_code=0):
+=======
+                       debug_selectors=[]):
+>>>>>>> amqp protocol
         """
         Executes packetbeat on an input pcap file.
         Waits for the process to finish before returning to
@@ -51,9 +60,13 @@ def run_packetbeat(self, pcap,
             proc = subprocess.Popen(args,
                                     stdout=outputfile,
                                     stderr=subprocess.STDOUT)
+<<<<<<< HEAD
             actual_exit_code = proc.wait()
             assert actual_exit_code == exit_code, "Expected exit code to be %d, but it was %d" % (exit_code, actual_exit_code)
             return actual_exit_code
+=======
+            return proc.wait()
+>>>>>>> amqp protocol
 
     def start_packetbeat(self,
                          cmd="../../packetbeat.test",
diff --git a/packetbeat/tests/system/pcaps/amqp_channel_error.pcap b/packetbeat/tests/system/pcaps/amqp_channel_error.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..313bb20e09266b367aaf3f6621fe9e730c489b5f
GIT binary patch
literal 2164
zcmaKtOK%%h6oAi!JRB#=BDhhgDi{!w9ZKvpZE1im5@NRv%CmVC7GTEXYx^qWnaRwZ
z1TPRMg78w2Dk52tB2~~<^*Ye}fg-U%CW|guB7_86vZ1SnbFOEsG#QfQjP9Ms`ObIl
z&CH{RJKwcHD+E6W2LLNLx&G+>672NAB#tQno@s@4Ilw~%G60ur>!UE*zIo|m0EJ@X
zW?$m=?mwmNt@`~>`jw?8LwHh&MB$}(|DqV1nwtgaR4Dgj%>BCpGLGj~_Nrr)`_7+1
z?!LsvP0EY;ZOVP{)6=;z6`t6HDE@Zh$m-TLTg!2S3(njtc=7vQ+shf;EiosnTV{bf
zWmhPt*@t>bGm9+S9OSr}=VlQvMsu3W^`xok%R=eHhg`2rPiv;mjI3!1UZ@DA7cZDh
z7u+(FIm6PISzaj5Ht)6_ZaK0Fp`6h?QDUaxx<<EW3mP{(hh=rca+y#%b<3_eyjT+R
zSa5tin5l{J0d;t2=+fZu(7E&KRcn^7T0%2kRVPe6*~QI*<&<ScdhX&R*O}?Eyy}^G
z=BP+ir)DRUsyfe@S`xy3Bb8cPTT41xF2_ZAC8=BGRKzwkL3t=eG~*c9l+?_^Y=`Yw
zc~6%WMXt*yrsg_Und71W-P?9PIh?$JgC1Jn$+3xPRUYXQGqa2Hbz1Mr4?XZVo}xIu
z-tb%PQ(EtDw}SQd_maK6wKtCI{r;0*Le?9$akaZJ-$#e5e32AgbS!dF@^aG76%Nz#
zYg#3xl~?S;<+s##j%}4>=#u{L251X>yP@bYSNKQi{TRL9!3rrtysuT?BJX?4fp=q{
z?~UKy-H%D{%VFN#=>0tAYr(&?<h=aj$(-6}#Mw*)oJN25W7yvtCv#rFR|0Y%Dmkws
zX8~svAwKEahUA<*!bvnaBVj%f^hqcw0Ll0n8FQGOB7`wkO%vmu9WeZ!-N2rWNSBLY
zj5cHpGyokBP6pIImlA^kz;D(FO60=<^!jOo7$T&>zX&*~OVx}tFam&YkVk`z1RU!U
z0U`*X-QHlF+wB2{6N->7E!Mt}68!<gm&l-mkc^3=T_VPFkU$A&7aad%-1dTITAt`7
zf)vXj^aGqwgg|F&UrOkiBhW$<nht};V3?qhawWUsF^|d5QGFg?8{hN+Xh@<6;muXA
z%0|8y@cc#!Y~;F>%rtrX^a)acBu^o)t4Wio@gRYJAh3WFiV)yZ?JFsGDggRjT}Q!N
z68QF0!2JgBGy-FX1#QE!C80s>?gv=MIYkK7sa}(sZw6Ff^A>8}l~gR(|I(7CPkjxU
z31#!_^vpu`%FN<)S{+nPOAS7BYMiQwtK3vqOO`9tcq&eH%03jaBK%m(2&rha_O<N8
YD?vqmAMRowew7tn2&<?SD;lW(2UVpPTL1t6

literal 0
HcmV?d00001

diff --git a/packetbeat/tests/system/pcaps/amqp_emit_receive.pcap b/packetbeat/tests/system/pcaps/amqp_emit_receive.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b9ce70e23d29039353087f8cfeb3071d2cfe51fe
GIT binary patch
literal 5317
zcmeI0TWl0%6vw~qw$N_DXn}G`gA0h3Xm{H!6~UtAP6;h73x%Sx&dg4?({5+Bv$M1W
zu_O>5ya2_^3%nq~2SY+=NFaud5h2zDHmvc1Y(nZ2;i`i1k|5M`&Rn|P4pSd^@WF;}
zv$M1N|DFFi-{lNHemih9kL5G-Z+MuoZn)UG_luVIhl|*Hc#nfIcRrgyZ{VentzxV;
z^L`zxo51_~7<1vcE|iu(I2l_VSTz0jJu_S_k1F9qSD}Z^{qi!7Wev?uj1{?1`v>M>
zKe-r<vD&UH$;GI>`;MtyT7F$XUC?ht?cocfwLuC#_yklvtO(vIlLRit@lsUMBr(1k
zZhl@8OYl)C-Y%*kL6O@ewJWZ<W{JH*J10lPkoAU_<gg@1;HHP?;*#K#IiXW?mBNqW
zi7xy#CktXUBrBTKwo`MJzztaxG)a+td{hxS#jxg@VtqTNN{UKRXs$9Yp|y*$CJ7vV
zJ=DfY(S$07gs2i1HCK_K#CEDuq+JU_z%Q&Yue{|e7I*`dm5V9@l~vW=HA<7TL(#bC
zOWt}}@D)pPo1%7+BL1#sy(EZoTnu{?a#&QoK=d{=t@nAoK~eO!Yg%lH-`~^I<5M}F
zm$a^KpP+R43u94ELmiaxtWu+p6#s@zO%r3P5>5ydQQ=1VMMLw%9ikcs1Nhy7YG1&&
z5Z*k6^<BTLzR^pscuSN+n}aE=_mIoOZoo%4#@3r%&3uUU=K9Tg8*`~KuxMsK)O-7*
zOIE#8IG3p2><Co581!~$2b7l@7*l+oZIK>Z(rnXnFk^8@Swzy>6Fem=uBjpy?%{U&
zxvuV5f$4V=izLLjX1tQ`+B^^23K8P4@x3;=1bz3#P2c)FpV<%d{66`v9pyWv`<?{8
zXM<iI{98$!_r~F5K0*%fH91Cp??Zl%J9D0eEde;pL!6_)*#uWOZ2YXu>?h8=(VXrH
z7UvZ^KZW3@+~sGC7`)rVnn4|h4P#ld78!lLCd0_t@dqcnOUX-(9ispk3v|HO;{Y-T
z$i#dTpeL)l6if`*1F$RwY$_ng!C(2#SxPP?2bu{m91MVic?1}fB?J@#0B5_-m|x&w
z0$kv*$x<+LkW7@A48z1cFmaw3YjU%MjOnZ#OtAc@5{XY}<76eFVexh3VL-wTPQwOS
zmwb(E^_WP*)_JhCoRF|h7zY9_VwlW`%m-vKrR^H%<3hn<qrW!OPnOC|eZ$gnu#_VG
zF^dKDC$Rup(hoV}+=DZz2R^}J!-*tcCm$P3j^QH(K3a(LhMkWWfm1viHUwWplq>4H
z7uRg-;6go-V3i`aHt(q7+kz1S!V87*a*>C<0~a`K!iZ)LVHn(>W*COumcXJ}E(+sq
zyD%ytjH!%`69^TUxOyySJ>!(Nj#82^W6@JG%LOUf?^N0Vn?_!%i#_Zc;Nh_GdMfiV
zc|B$78(#N=*U6-R+|Fx))&2{w>jaI9RQR>7m_MRa@ChjzUKj|}R4-guRpW=VuZxqz
z6;VkRD>yX*C%ml1{UL?#@Qb~oUlj#W+98H;K~z+Ytc7!6=rCBpVPoin<T6Uw0@IL@
zu*nZjs>NgoZ|KcY)>_yAhNeBicvC!_y&`OPj(yyx7%Kmq8LFOpwHR_ArckXu?(`vC
zwuNMwk#;A{8z=4La!NzamM|*}X_zur`}84GTZFjTO}C?Vx)HTIJFU3GrRBGSZO!`{
zuML5AR{wdXjLkh$X7-<`{n;(IWB=K40kyAirZ$u>jJlxTirORnr>>0~&Hw!;HH81U
z{uArnciZjQf2NzT-W`|CdSBP)QtQ6Pp<OgjFPY0VtKM1tXI7Uye#7{LyVb|_pXmEH
z@a=S@c3ec?=^LhReVz~Pf_eUsd|O9qw(rsXCvs}<ICIj?v{v6VIYxdTLVgc8b4L14
z<ZJ_uQ~#OXNSx4UPUIPjV|7;9en$FFWITP>?bv^Id`CIEYch<S9k?Bg%posU|C!A&
z`cDLG9tV&Pk_l_`(UTRK1165x191B>`cDL0{Mk869fRcHW{!g+;J`<KF<C;uNdJk9
zz%Opc{xiLaOf;Gd!-Nk^oFInPf0|iB#$)?WM1BQGr~b3!d$N`Np9ZjL51jy84TQA%
z&upaLf1>{1px+8X;IKK<>(iUb(v}=c4Zt`{`b%>+3A8jB&h&DlrH0NAL9>5#GZAj#
zumNpOw-9Ju4v4ov^`k*~)JV?+koi}zhj}!ySM$STy(AO#d4M`SR;9NP^sOA|UJIHt
zt=$AIXcwbVg#bMO*a89IuyM5}y_EnhIe>!};MLKt^v8o@=<v$fAZZe2#yvN?3YR!+
zFoVezh<W#xi7`5_sMT_u%f_5Oq+_;2@@k)8=S9H*NPm=Ksc}m*CY>7ibe!#%&}TY#
z5ub(Ge#~jMPh|@zkLN&tJA{eDCXbEjRw`HS0zL-ix<LBNv-5bS4CgvyCGe~jV1pAo
iwf0_~lkg*={V|@K%j72aAi4l<lJ;&;Iv;4&seb?^oADa}

literal 0
HcmV?d00001

diff --git a/packetbeat/tests/system/pcaps/amqp_publish.pcap b/packetbeat/tests/system/pcaps/amqp_publish.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ed1fb00b6b423033b85bb7d15a512f93597146a6
GIT binary patch
literal 2406
zcmb7`PiP!f9LL|J*=Dm7il!1&s*a}G4cOf^u_ziOv59rdCMMmcEsf1)X7(lf$n4B!
z=578Q#FSEV@=)|5c&J`H1bQe7h2CtVM34|f#FLntpn`arTh`z2w=+xr3<>V;Z+P#`
z%=h!Yzuzx2`T6nvuUc3u3qSQbWAiYvH@~^^+jA<*!5D+FW3B8s4d4)G!;JO&*9O?Y
z@nQXA#uSX(_qvi>x9t4(=-Ks^r<E%^8CX=}33lp>R*b=s@iE5Q71UN=QrYhcqd2Io
zY}LL+?N5rKc31NDJ=6vLNz|^dH??D^4N|c1IZME|9Y#)vsaJGESV9W!y$2`1?yOV|
zOL!&j7EH&U5pLO&%CmgQEa~<vFEj^+u#3W;g_8+G_k@|Ub#qQCU2v0EE#uv~ZE~w%
zJ5tOnOQjP|*xZ!Du~UZSm~*@+m6Oe@E3R-{+J#h3=~Y?cwiKq0mltMqVO3pTFfGU9
zQfW7x%CakFOEM1|K65^tY02|FT5l%v#@XJ?Ykk@UXG|<OQny~!vbLF0g+1fAWm3fZ
z&gF#3ZI2hVs$Jx+21IRSESJ)>Jm*?T%F0{m^y1=T%GC`+$nt#3bjs;?#nL6}phRNW
zwIC_!4=#_jRa~c7HEBojOLWJ`c-sPZJuraR#`;pdsn=m}0_&R_%#Lbw#8ccZOyoDQ
z-m6gWKVS*tV7=L|{&lSP(BrV)K`%{ikEW-g-cvh2?x}Z->dn4{YOA34(e7Qoh!#EY
zI4fkSYLGimx?C?V>dR@pJYU(p{g%!92U;cd|7slz{dTa~D)(e?B;Sv~_chodMuhM8
zYmd<P>Yt(SMxUprq0j5&yFbcz2l##-^jhFIM4as-IQ}GZhA)MjAis6UuRNUd0z49c
z!xF^#7dV$;h7sXs$p4Ty6MH$%$tLH`C_i!VlT^}-5yR|O**K_UL@)+x>&RIBCu9UU
zlUui(Zt`+2iV*`wPXn-X1i-&RCa#8nMzWl4FmW>)fbAG#PXU4){B-*8EY-dv2Y-ct
zz`;#$kRiZ<EFmBc0POY#<B6A5b^|6D5m_4Xr^v*`kP(>3fQdWA7~G#FWIV}w!32wy
zxMew{Ooo1WMP*Yk#fX57*1ji0+aWA4bO#J&3HELjtP^1BE)+-;EpbL=*I|MYLA&S|
z$XYI>1=g})ZH;K}MA1&LewGBi07#_MK;p255kZ>pr-?MMk5p)qvU^D_43qc_kit)F
zg(W0kl4*Fp3Y(yP06na~eVw5BebALAbYFiTBWS}G0X_r3RoDPVgsTg_5t+YFn}E0X
zx>5+BLi;7z25Ax|msA<N&?zD?1GNprto|MP2%2IIn&K{%3EmpP{|EREhi5t_uN5#o
zq`v_Ahc%sVl8vEIKWKxyVB<k_)8XDbp}%|CM%$b$Eg8DNC8Dhz<>m)+v;S}Q0l0Y>
M?FOY=f!4SAA53Z=ssI20

literal 0
HcmV?d00001

diff --git a/packetbeat/tests/system/test_0051_amqp_publish.py b/packetbeat/tests/system/test_0051_amqp_publish.py
new file mode 100644
index 000000000000..b9b97df6b22f
--- /dev/null
+++ b/packetbeat/tests/system/test_0051_amqp_publish.py
@@ -0,0 +1,35 @@
+from packetbeat import BaseTest
+
+
+class Test(BaseTest):
+
+    def test_amqp_publish(self):
+        self.render_config_template(
+            amqp_ports=[5672],
+            amqp_send_request=True
+        )
+        self.run_packetbeat(pcap="amqp_publish.pcap",
+                            debug_selectors=["amqp,tcp,publish"])
+
+        objs = self.read_output()
+        assert all([o["type"] == "amqp" for o in objs])
+        assert len(objs) == 2
+        assert all([o["port"] == 5672 for o in objs])
+
+        assert objs[0]["method"] == "queue.declare"
+        assert objs[0]["status"] == "OK"
+        assert objs[0]["amqp.queue"] == "hello"
+        assert objs[0]["amqp.durable"] == False
+        assert objs[0]["amqp.auto-delete"] == False
+        assert objs[0]["amqp.exclusive"] == False
+        assert objs[0]["amqp.no-wait"] == False
+        assert objs[0]["count"] == 1
+
+        assert objs[1]["method"] == "basic.publish"
+        assert objs[1]["status"] == "OK"
+        assert objs[1]["request"] == "hello"
+        assert objs[1]["amqp.routing-key"] == "hello"
+        assert objs[1]["amqp.mandatory"] == False
+        assert objs[1]["amqp.immediate"] == False
+        assert objs[1]["amqp.content-type"] == "text/plain"
+        assert objs[1]["count"] == 1
diff --git a/packetbeat/tests/system/test_0052_amqp_emit_receive.py b/packetbeat/tests/system/test_0052_amqp_emit_receive.py
new file mode 100644
index 000000000000..8f23e8ca4e4d
--- /dev/null
+++ b/packetbeat/tests/system/test_0052_amqp_emit_receive.py
@@ -0,0 +1,76 @@
+from packetbeat import BaseTest
+
+
+class Test(BaseTest):
+
+    def test_amqp_emit_receive(self):
+        self.render_config_template(
+            amqp_ports=[5672],
+        )
+        self.run_packetbeat(pcap="amqp_emit_receive.pcap",
+                            debug_selectors=["amqp,tcp,publish"])
+
+        objs = self.read_output()
+        assert all([o["type"] == "amqp" for o in objs])
+        assert len(objs) == 7
+        assert all([o["port"] == 5672 for o in objs])
+
+        assert objs[0]["method"] == "exchange.declare"
+        assert objs[0]["status"] == "OK"
+        assert objs[0]["amqp.exchange"] == "logs"
+        assert objs[0]["amqp.durable"] == True
+        assert objs[0]["amqp.exchange-type"] == "fanout"
+        assert objs[0]["amqp.passive"] == False
+        assert objs[0]["amqp.no-wait"] == False
+        assert objs[0]["count"] == 1
+
+        assert objs[1]["method"] == "queue.declare"
+        assert objs[1]["status"] == "OK"
+        assert objs[1]["amqp.queue"] != ""
+        assert objs[1]["amqp.exclusive"] == True
+        assert objs[1]["amqp.no-wait"] == False
+        assert objs[1]["amqp.durable"] == False
+        assert objs[1]["amqp.auto-delete"] == False
+        assert objs[1]["amqp.passive"] == False
+        assert objs[1]["count"] == 1
+
+        assert objs[2]["method"] == "queue.bind"
+        assert objs[2]["status"] == "OK"
+        assert objs[2]["amqp.queue"] != ""
+        assert objs[2]["amqp.exchange"] == "logs"
+        assert objs[2]["amqp.no-wait"] == False
+        assert objs[2]["count"] == 1
+
+        assert objs[3]["method"] == "basic.consume"
+        assert objs[3]["status"] == "OK"
+        assert objs[3]["amqp.queue"] != ""
+        assert objs[3]["amqp.no-ack"] == True
+        assert objs[3]["amqp.no-wait"] == False
+        assert objs[3]["amqp.no-local"] == False
+        assert objs[3]["amqp.exclusive"] == False
+        assert objs[3]["count"] == 1
+
+        assert objs[4]["method"] == "exchange.declare"
+        assert objs[4]["status"] == "OK"
+        assert objs[4]["amqp.exchange"] == "logs"
+        assert objs[4]["amqp.durable"] == True
+        assert objs[4]["amqp.exchange-type"] == "fanout"
+        assert objs[4]["amqp.passive"] == False
+        assert objs[4]["amqp.no-wait"] == False
+        assert objs[4]["count"] == 1
+
+        assert objs[5]["method"] == "basic.publish"
+        assert objs[5]["status"] == "OK"
+        assert objs[5]["amqp.content-type"] == "text/plain"
+        assert objs[5]["amqp.exchange"] == "logs"
+        assert objs[5]["amqp.immediate"] == False
+        assert objs[5]["amqp.mandatory"] == False
+        assert objs[5]["count"] == 1
+
+        assert objs[6]["method"] == "basic.deliver"
+        assert objs[6]["status"] == "OK"
+        assert objs[6]["amqp.content-type"] == "text/plain"
+        assert objs[6]["amqp.delivery-tag"] == 1
+        assert objs[6]["amqp.exchange"] == "logs"
+        assert objs[6]["amqp.redelivered"] == False
+        assert objs[6]["count"] == 1
diff --git a/packetbeat/tests/system/test_0053_amqp_channel_error.py b/packetbeat/tests/system/test_0053_amqp_channel_error.py
new file mode 100644
index 000000000000..b9c7cb6a871a
--- /dev/null
+++ b/packetbeat/tests/system/test_0053_amqp_channel_error.py
@@ -0,0 +1,42 @@
+from packetbeat import BaseTest
+
+
+class Test(BaseTest):
+
+    def test_amqp_channel_error(self):
+        self.render_config_template(
+            amqp_ports=[5672],
+        )
+        self.run_packetbeat(pcap="amqp_channel_error.pcap",
+                            debug_selectors=["amqp,tcp,publish"])
+
+        objs = self.read_output()
+        assert all([o["type"] == "amqp" for o in objs])
+        assert len(objs) == 3
+
+        assert objs[0]["method"] == "exchange.declare"
+        assert objs[0]["status"] == "OK"
+        assert objs[0]["amqp.exchange"] == "titres"
+        assert objs[0]["amqp.durable"] == True
+        assert objs[0]["amqp.exchange-type"] == "fanout"
+        assert objs[0]["amqp.passive"] == False
+        assert objs[0]["amqp.no-wait"] == True
+        assert objs[0]["count"] == 1
+
+        assert objs[1]["method"] == "queue.declare"
+        assert objs[1]["status"] == "OK"
+        assert objs[1]["amqp.queue"] == "my_queue"
+        assert objs[1]["amqp.exclusive"] == True
+        assert objs[1]["amqp.no-wait"] == False
+        assert objs[1]["amqp.durable"] == False
+        assert objs[1]["amqp.auto-delete"] == False
+        assert objs[1]["amqp.passive"] == False
+        assert objs[1]["count"] == 1
+
+        assert objs[2]["method"] == "channel.close"
+        assert objs[2]["status"] == "Error"
+        assert objs[2]["amqp.reply-code"] == 404
+        assert objs[2]["amqp.reply-text"] == "NOT_FOUND - no exchange 'plop' in vhost '/'"
+        assert objs[2]["amqp.class-id"] == 50
+        assert objs[2]["amqp.method-id"] == 20
+        assert objs[2]["count"] == 1
diff --git a/topbeat/beater/topbeat.go b/topbeat/beater/topbeat.go
index b134372c28c4..59baff9729ec 100644
--- a/topbeat/beater/topbeat.go
+++ b/topbeat/beater/topbeat.go
@@ -234,6 +234,7 @@ func (t *Topbeat) exportProcStats() error {
 				"type":       "process",
 				"count":      1,
 				"proc":       proc,
+				"count":      1,
 			}
 
 			t.events.PublishEvent(event)
diff --git a/topbeat/docs/fields.asciidoc b/topbeat/docs/fields.asciidoc
index 13b49c8a48a8..bb6b4a5dfa89 100644
--- a/topbeat/docs/fields.asciidoc
+++ b/topbeat/docs/fields.asciidoc
@@ -522,5 +522,3 @@ The used disk space in bytes.
 type: float
 
 The percentage of used disk space.
-
-