Skip to main content
All CollectionsGetting StartedData Sources Configuration
Capturing network traffic using agents
Capturing network traffic using agents
Alex Patnick avatar
Written by Alex Patnick
Updated over 2 weeks ago

Although the discovery process in Faddom is agentless, in some cases, getting details on some servers is not possible due to the network infrastructure, the type of hypervisor being used, or having limited access to a hypervisor.

In these cases, it is possible to use an agent to collect network traffic using the sFlow protocol. The sFlow protocol is a lightweight protocol designed to collect information on network traffic while having minimal overhead on the device generating the sFlow traffic.

Faddom supports collecting traffic in this manner from both Windows and Linux servers. Please use the below table to determine when to use which tool.

sFlow Generator

host sFlow

Performance Data

No

Yes

Traffic Collection

Yes

Not on Windows

OS

Windows Only

Windows/Linux

Linux

To collect sFlow traffic from Linux servers, we have added support for using host sFlow to get network traffic and performance details on servers. Host sFlow supports multiple hypervisors, including KVM, Nutanix AHV, and Xen which can allow Faddom to get information on these types of environments. It can also be installed on physical servers to collect data from them.

Host sFlow agents run on the server they are installed on and generate sFlow traffic. This traffic can be analyzed by Faddom. In this way, Faddom still does not require direct access to the servers or any credentials for them. You just need to open UDP port 6343 from the Host sFlow agents to Faddom to allow the sFlow traffic to pass.

To use Host sFlow with Faddom, you need to install the agents on the relevant servers, and direct them to send the data to a Faddom server or sensor. Please see the documentation for Host sFlow for more details.

The basic configuration for collecting traffic from a Linux server should look something like this (replacing [FaddomServerIP] with the ip address of a Faddom server/sensor/proxy :

sflow {
  collector { ip = [FaddomServerIP] }
sampling = 50 pcap {} tcp {} }

Windows

For Windows based servers, the host sFlow above method is not sufficient as it only collects performance statistics and not network traffic information. If performance statistics are required, host sFlow can still be used in addition to the network capture method below.

To collect sFlow traffic from a Windows server, you can use the Faddom sFlow generator tool. This tool is a lightweight agent that can be installed on a Windows server and will send sampled flow data over the sFlow protocol.

Installation

The sFlow generator can be downloaded below as an MSI file at the bottom of this article. The installation of the agent should not require a restart of the server. Run the installer on the server as following:

If you receive a Windows protection warning screen like below, click on More Info and then Run Anyway:

mceclip0.png

Start the installer and click Next:

mceclip0.png

Accept the license agreement and click Next:

mceclip1.png

In the Collector Address field, enter the host name or IP address of a Faddom server, sensor or proxy to which the sFlow traffic will be sent. Make sure your firewall allows sending UDP traffic over port 6343 from the server you are installing on to the collector.

You can customize the Sampling Rate here as well. The sampling rate will determine how many packets Faddom will analyze. For a sampling rate of 32, Faddom will analyze 1 out of every 32 packets or about 3% of the traffic on this host. For optimal performance, it is recommended to set the sampling rate to a power of 2 (ex 16, 32, 64, 128, etc...).

A higher sampling rate will reduce the network and CPU overhead of the sensor, but it will take longer for Faddom to map the network traffic and respond to changes.

After settings these values, click on Next to continue:

mceclip2.png

Optionally change the installation folder. The sFlow generator requires around 1MB of disk space for installation. Then click Next:

mceclip3.png

Finally, click on Install to complete the installation:

mceclip4.png

Silent Installation

To run the installer silently, use the following command:

msiexec /i FaddomSflowGenerator.msi /quiet SAMPLINGRATE=32 COLLECTORADDR=X.X.X.X ACCEPT=YES

Parameters:

  • COLLECTORADDR - Set the address of the collector that will receive the sFlow traffic (Replace X.X.X.X with the collector IP or host name)

  • SAMPLINGRATE (Optional) - Set a custom sampling rate

  • INSTALLDIR (Optional) - Set a custom installation folder

Configuration

After the installation, it is possible to change the parameters of the sFlow generator in the registry.

To do this, open the Registry Editor and navigate the the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Faddom\sFlowGenerator

Here, you will see three values:

  • CollectorAddress - The IP address or host name to send the sFlow traffic to

  • PerformanceMode - Can be either 0 or 1. When enabled (set to 1), the sFlow generator will have a significant performance improvement so it is recommended to leave this on. There is a small chance of missing some types of very regular, repetitive traffic while using this method (though highly unlikely)

  • SamplingRate - The packet sampling rate. The sFlow generator will analyze 1 out of every X packets where X is the sampling rate.

Any configuration changes will require a restart to the Faddom sFlow Generator server under Windows services.

Download

Did this answer your question?