Posted by
Ofer Regev
September 19, 2019

In the previous two posts (part 1 and part 2), we discussed how to gain visibility into the network traffic in VMware environments, as traditional methods of capturing east-west traffic have become increasingly limited due to virtualization. Today, we will look at how we can achieve something similar in Microsoft Hyper-V.

Capturing full traffic in Hyper-V

If you require capturing the full traffic between virtual machines in a Hyper-V environment, the only way to do this is by defining port mirroring. We will not go into too much detail on all the settings, but the general idea is that you define which virtual machines will be the source of the traffic and which machine will be the destination. Then all the network interfaces that were designated as sources will have their traffic mirrored to the destination network interface.

In order to enable this, you need to edit the settings for the VM(s) you would like to monitor and under the Network Adapter, go to Advanced Features. There, under Port mirroring, you can define that network adapter as a source or a destination for the traffic. This can also be configured using cmdlets for power shell.

In case you don’t require the full network traffic, you can also gain visibility by using sFlow.

What is sFlow

Similar to the NetFlow protocol we discussed in the previous post, sFlow is also a method to get information on the traffic between servers without getting the full traffic information.

As opposed to NetFlow that groups packets into flows and calculates information on those flows, sFlow does no grouping whatsoever. Instead, it truncates the packets to a length of 128 bytes, then groups multiple truncated packets together into a single UDP packet which it sends to the collector. It is up to the collector to analyze the packet and extract any interesting information from it. Like NetFlow, sFlow also supports using sampling to limit collection to 1 out of every X packets.

Since sFlow does not do any aggregation of packets, it has a higher network overhead thant NetFlow, but in turn has a very low impact on the device generating it. It also has the potential to send additional information that would otherwise not be visible when using NetFlow since the collector gets access to the first 128 bytes of each sampled packet, including any protocol headers in it.

The most common version of sFlow used today is version 5. It is supported by many switches and routers as well as firewalls and load balancers.

sFlow in Hyper-V

Microsoft Hyper-V, unlike VMware, does not have built-in support for any kind of statistical capture protocol. The sFlow support in Hyper-V is provided by an extension to the Hyper-V Virtual Switch. The extension is open-source and is provided by host sFlow.

In order to enable the Host sFlow extension, you must first download the Windows version from their web site and install in on the root partition of the Hyper-V server you want to monitor. If there is more than one server, you will need to install and configure the extension for all the servers you want to monitor traffic for.

During the installation, you will be prompted to enter details on the collector. If you wish to use DNS-SD, see the documentation on the host sFlow web site on how to do this. We will be going over the manual configuration here.

The first parameter is the sFlow collector which defines where the sFlow packets will be sent to for analysis. Do not leave this as localhost or any other local addresses on the host as it will not work and no sFlow packets will be sent. All the parameters are stored in the Windows registry and can only be changed from there. See the documentation on the host sFlow website for details.

After installing the switch extension, it needs to be enabled on the virtual switches. This can be done through Hyper-V Manager. Note that only switches connected to an Eexternal network can be monitored using sFlow.

Steps:

  1. Open the Virtual Switch Manager
  2. For each switch you would like to monitor, click on the + icon and select Extensions.
  3. Under Switch extensions select the sFlow Traffic Monitoring extension and enable it.
  4. Click Apply to save the changes. You may get a warning that the pending changes may disrupt network connectivity. Enabling the sFlow extension should not disrupt any connectivity on the server.

Once the extension is enabled, you should start to receive sFlow packets at the collector you specified. If you make any changes to the configuration of the host sFlow extension in the registry, you must restart the Host sFlow Agent service in Windows for the changes to take effect.

Conclusion

Although there is no built-in function in Hyper-V to get statistical capture on your VMs, and the port mirroring is a bit more of a hassle to configure than it is on VMware, it is still possible to get traffic, either full or statistical, on a Hyper-V environment.

This covers two of the most popular hypervisors in use in modern datacenters, but the same concepts can also work for many other environments. Once you are familiar with the NetFlow and sFlow protocols, you can gain network visibility into almost any environment with minimal impact on the servers themselves.