- Wireshark must be installed, and root privileges are needed on the server where sFlow samples are to be received.
- One or more inputs must be configured as follows:
o Name: this is just the input’s name
o Interval: must be set to 0 for continuous capture of sFlow samples
o Index: this is the Splunk index for decoded samples
o Status: enable/disable to switch capture on/off
o Interface: this is the name of the interface (NIC card) where sFlow samples will be received. Its IP address must match the receiver IP address configured on the sFlow switch. Execute “tshark -D” with root privileges to get a list of interfaces on which packets can be captured.
sFlow is a sampling-based technology and can generate a huge amount of data even on a lightly utilized network. It is strongly recommended that:
- You use this tool in a test, non-production environment
- You only enable sFlow sampling on those switch ports where you want to analyze traffic
- You configure a high sampling rate (e.g. 8192)
- You monitor your indexing stats
sFlow Analyzer for Splunk events contain decoded samples, not raw samples. Indexing requirements will be much higher than the amount of sampled (raw) data.
In short: please consider the impact over your license usage and indexing!
sFlow samples are limited to the first 128 bytes, not the entire frame. In many situations however, 128 bytes can reveal a lot, even when using VXLAN overlays.
For example, let’s consider a VXLAN-tunneled TCP segment and let’s also assume that Q-in-Q (double tagging) is used in the underlay:
- C-VLAN tag: 4 bytes
- S-VLAN tag: 4 bytes
- Underlay ethernet header: 18 bytes
- Underlay IP header: 20 bytes
- Underlay UDP header: 8 bytes
- VXLAN header: 8 bytes
- Overlay ethernet header: 18 bytes
- Overlay IP header: 20 bytes
- Overlay TCP header: 20 bytes (excluding options)
In this example, 120 bytes is enough to decode TCP source/destination ports in the overlay and perform a port lookup to find the application.
sFlow Analyzer modifies Wireshark’s JSON-formatted decodes to simplify Splunk searches in the following ways:
- Differentiates between C-VLAN and S-VLAN headers
- Creates a separate VXLAN branch grouping all overlay headers
Please note that, at this time, no special treatment is given to other tunneling technologies such as GRE, NVGRE, OTV, 6in4, IPinIP etc. Such tunneled traffic may not generate properly formatted JSON events.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.