Making the most of sFlow data

I noticed that sFlow support is a recent addition to the EDA. I upgraded to 6.2.5.3353 to test it out.

A little background on out environment. We’re a L3 shop, so all of our closets and remote sites have L3 switches which makes EH blind to any data that stays local to the L3 switch. I thought that using sFlow might help to get around this limitation.

From my limited knowledge of sFlow:
There are two types of sFlow packets, one is “Counter Samples” which has data for counters (i.e. bytes sent/received), and the other is “Flow Samples” which contain packet headers of sampled packets.

I was hoping that EDA would be able to use the Flow samples to discover remote devices. There’s a wealth of information in these packet headers (MAC, IP, Protocols, Ports, etc) which don’t seem to be recorded in the EDA. Did I misconfigure something or does EDA not support capturing this data?

The ExtraHop platform cannot discover devices using flow data; it needs access to full packets for that, as it can’t perform L4-L7 analysis when it only sees sampled information.

If you are looking to perform additional analysis on the data sent by sFlow, you can use the SFLOW_RECORD trigger event to get access to data from individual flow samples as they arrive.