Wednesday, November 23, 2011


Wireshark (previously called Ethereal) is a popular, free, open source protocol analyzer. This article will demonstrate how Wireshark can be used with sFlow to remotely capture traffic. For background, the article Packet capture describes some of the reasons why the multi-vendor sFlow standard should be considered as an option for packet capture, particularly in high-speed, switched Ethernet, environments.

The first step is to configure the network switches to monitor selected links and send sFlow to the host that will be used for packet analysis -  configuration instructions for most switch vendors are available on this blog. Alternatively, if sFlow is already being used for network-wide visibility then obtaining an sFlow feed can be as simple as directing the sFlow analyzer to forward sFlow to Wireshark.

The article CaptureSetup/Pipes describes how Wireshark can be configured to receive packets on a pipe. The following command launches Wireshark, using sflowtool to extract packets from the sFlow feed and pipe them into Wireshark:

[root@xenvm4 ~]# wireshark -k -i <(sflowtool -t)

Wireshark provides a real-time, graphical display of captured packets. The following screen shot shows packets captured using sFlow:

Packet trace in Wireshark captured using sFlow

In addition to being able to decode and filter packets, Wireshark has a number of statistical reporting capabilities. The following screen shot shows protocol statistics generated using captured sFlow data:

Protocol statistics in Wireshark captured using sFlow

When looking at sFlow statistics in Wireshark, it is important remember that sFlow is a sampling technology and that the numbers should be scaled up by the sampling rate. In this case a sampling rate of 1 in 1000 was configured so while the percentages are correct, the Packets, Bytes and Mbit/s numbers need to be multiplied by 1000. Looking at the top, highlighted, line the total values should be 24,000 packets, 25 Megabytes and 2 Mbit/s (not 24 packets, 24 Kilobytes and 0.002 Mbit/s shown in the table).

Because sFlow is a packet sampling technology there are limitations to the type of protocol following you can do in Wireshark. However, there are offsetting benefits. If you don't know which links to tap to solve a
problem you can use sFlow to cast a wide net and capture packets from hundreds, or even thousands of links simultaneously. Using sFlow also lets you easily monitor 1, 10, 40 and 100GigE ports without
overwhelming Wireshark.

In addition to its graphical interface, Wireshark also offers a text-only interface to facilitate scripting. The tshark command runs Wireshark in text mode, providing similar functionality to tcpdump. The following example uses sflowtool to extract packets from the sFlow feed and pipe them into tshark :

[root@xenvm4 ~]# tshark -i<(sflowtool -t)
Running as user "root" and group "root". This could be dangerous.
Capturing on /dev/fd/63
  0.000000 ->    TCP 37366 > iscsi-target [PSH, ACK] Seq=1 Ack=1 Win=3050 Len=1200 TSV=472366446 TSER=1180632633
  5.000000 ->    TCP twamp-control > nfs [ACK] Seq=1 Ack=1 Win=2560 Len=1448 TSV=472366931 TSER=1180633845[Packet size limited during capture]
  5.000000 ->    TCP twamp-control > nfs [ACK] Seq=1449 Ack=1 Win=2560 Len=1448 TSV=472366931 TSER=1180633845

Wireshark's interactive filtering and browsing capabilities, combined with an extensive library of protocol decodes, provides the detail needed to diagnose network problems using packet headers captured by switches using sFlow. The protocol analysis capabilities of Wireshark complement the network-wide visibility provided by an sFlow analyzer, extracting additional details that are useful for troubleshooting.


  1. Could you amend this article with instructions on how to do this with windows servers?

    1. I am not a big Windows user, so I have never had cause to figure out the recipe to get it to work on Windows. If you have some pointers, I would be happy to post the information.

      What I think would be very cool is if Wireshark would support sFlow directly as a virtual interface under the Capture menu. It would be simple to open a UDP port to listen for sFlow messages, strip the sFlow headers and feed the encapsulated packet headers into Wireshark's decoder as if they had arrived on a physical interface.

      If anyone is looking for a project, it would be pretty simple to do - Wireshark already knows how to decode sFlow and reach the encapsulated packet header. Stripping the sFlow headers off turns the feed into a very usable remote packet capture function that makes the most of Wiresharks packet analysis capabilities.

  2. hey, can you please explain how to connect wire shark and influx DB. i want to store the LIVE data captured by wire shark into influx DB. thanks in advance :)

    1. I don't of a way to export metrics from Wireshark to InfluxDB. You might want to consider using sFlow-RT, see InfluxDB and Grafana, Telegraf, InfluxDB, Chronograf, and Kapacitor, and Collecting Docker Swarm service metrics for examples.

  3. How exactly can I view sflow content from a remote switch on my windows pc, using the python program in this article? Can you share the steps? My python version is 3.8.

    1. Do you have Docker on your PC? You can find versions of sflowtool, tshark, and sFlow-RT as pre-packaged images on Docker Hub, see sflow.

      There are examples on this blog of using Python to query sFlow-RT and parse the JSON output of sflowtool and tshark.