Although the discovery process in Faddom is agentless, in some cases, getting details on some servers is not possible due to the network infrastructure, the type of hypervisor being used, or having limited access to a hypervisor.
In these cases, it is possible to use an agent to collect network traffic using the sFlow protocol. The sFlow protocol is a lightweight protocol designed to collect information on network traffic while having minimal overhead on the device generating the sFlow traffic.
Faddom supports collecting traffic in this manner from both Windows and Linux servers. Please use the below table to determine when to use which tool.
sFlow Generator | host sFlow | |
Performance Data | No | Yes |
Traffic Collection | Yes | Not on Windows |
OS | Windows Only | Windows/Linux |
Linux
To collect sFlow traffic from Linux servers, we have added support for using host sFlow to get network traffic and performance details on servers. Host sFlow supports multiple hypervisors, including KVM, Nutanix AHV, and Xen which can allow Faddom to get information on these types of environments. It can also be installed on physical servers to collect data from them.
Host sFlow agents run on the server they are installed on and generate sFlow traffic. This traffic can be analyzed by Faddom. In this way, Faddom still does not require direct access to the servers or any credentials for them. You just need to open UDP port 6343 from the Host sFlow agents to Faddom to allow the sFlow traffic to pass.
To use Host sFlow with Faddom, you need to install the agents on the relevant servers, and direct them to send the data to a Faddom server or sensor. Please see the documentation for Host sFlow for more details.
The basic configuration for collecting traffic from a Linux server should look something like this (replacing [FaddomServerIP] with the ip address of a Faddom server/sensor/proxy :
sflow { collector { ip = [FaddomServerIP] }
sampling = 50 pcap {} tcp {} }
Windows
For Windows based servers, the host sFlow above method is not sufficient as it only collects performance statistics and not network traffic information. If performance statistics are required, host sFlow can still be used in addition to the network capture method below.
To collect sFlow traffic from a Windows server, you can use the Faddom sFlow generator tool. This tool is a lightweight agent that can be installed on a Windows server and will send sampled flow data over the sFlow protocol.
Installation
The sFlow generator can be downloaded below as an MSI file at the bottom of this article. The installation of the agent should not require a restart of the server. Run the installer on the server as following:
If you receive a Windows protection warning screen like below, click on More Info and then Run Anyway:
Start the installer and click Next:
Accept the license agreement and click Next:
In the Collector Address field, enter the host name or IP address of a Faddom server, sensor or proxy to which the sFlow traffic will be sent. Make sure your firewall allows sending UDP traffic over port 6343 from the server you are installing on to the collector.
You can customize the Sampling Rate here as well. The sampling rate will determine how many packets Faddom will analyze. For a sampling rate of 32, Faddom will analyze 1 out of every 32 packets or about 3% of the traffic on this host. For optimal performance, it is recommended to set the sampling rate to a power of 2 (ex 16, 32, 64, 128, etc...).
A higher sampling rate will reduce the network and CPU overhead of the sensor, but it will take longer for Faddom to map the network traffic and respond to changes.
After settings these values, click on Next to continue:
Optionally change the installation folder. The sFlow generator requires around 1MB of disk space for installation. Then click Next:
Finally, click on Install to complete the installation:
Silent Installation
To run the installer silently, use the following command:
msiexec /i FaddomSflowGenerator.msi /quiet SAMPLINGRATE=32 COLLECTORADDR=X.X.X.X ACCEPT=YES
Parameters:
COLLECTORADDR - Set the address of the collector that will receive the sFlow traffic (Replace X.X.X.X with the collector IP or host name)
SAMPLINGRATE (Optional) - Set a custom sampling rate
INSTALLDIR (Optional) - Set a custom installation folder
Configuration
After the installation, it is possible to change the parameters of the sFlow generator in the registry.
To do this, open the Registry Editor and navigate the the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Faddom\sFlowGenerator
Here, you will see three values:
CollectorAddress - The IP address or host name to send the sFlow traffic to
PerformanceMode - Can be either 0 or 1. When enabled (set to 1), the sFlow generator will have a significant performance improvement so it is recommended to leave this on. There is a small chance of missing some types of very regular, repetitive traffic while using this method (though highly unlikely)
SamplingRate - The packet sampling rate. The sFlow generator will analyze 1 out of every X packets where X is the sampling rate.
Any configuration changes will require a restart to the Faddom sFlow Generator server under Windows services.