Installation

1. In the Virtual Machines tab, in the File menu, select “Deploy a new OVF template”.

2. Find the Skylight capture: sensor OVA file and click Open.

3. Click Next.

4. Again, click Next.

5. Read the license aggreement, then click Accept and Next.

6. Name the Virtual Machine appropriately and click Next.

Recommended Requirements

The system detects the space available on the disk for the new Virtual Machine.

We recommend to allocate the following resources:

• For the Trial version, the minimum is: 6GB of RAM and 2 vCPUs. These specifications are for very low traffic. If you want to test with more traffic, please refer to the resources requirements for production environments defined below.
• For Production environments, the following resources are recommended:

Virtual Probe Sizing for a Capture sensor

*) On a system with hyperthreading, each physical CPU core typically expose two vCPU or threads to the operating sydstem.

Data Disk Specifications

Regarding storage, especially for production environments, data disk specifications are as follows:

We recommend using SSDs that are optimized for write-intensive applications.

We recommend that you use Thin Provision.

In case your hypervisor has NUMA nodes available, we also recommend that you use a maximum of 2 virtual sockets depending on the virtual machine role.

Skylight capture: sensor will try to effectively use the available NUMA nodes without hindering performance by binding the more demanding processes on specific NUMA nodes.

The basic recommendation depends on the role of your Skylight capture: sensor appliance and is as follows:

RAM configuration of the virtual machine should also match the host’s amount of RAM per NUMA node.

However, keep in mind that having multiple virtual sockets may not hinder performance if your host does not have any NUMA configuration.

For more information, please refer to the following article from VMware describing the behavior of vNUMA: http://blogs.vmware.com/vsphere/2013/10/does-corespersocket-affect-performance.html

The Virtual Appliance installation will start.

Click Finish.

You’ll get notified when the installation is complete.

Getting Started

Once the Virtual Appliance is installed, you have to start it.
Click on “Power on the Virtual Machine” or the green triangle.

Access the Virtual Console

The probe is launched. When the network interfaces turn into promiscuous mode, click on the Console view and then Enter to display the login prompt.

To know how to login and how the command line interface works, please go to Pulsar. With Pulsar, you can configure your keyboard, your timezone and other system settings like IP, DNS, NTP.

The summary view provided by vSphere displays the parameters such as IP addresses.

When your probe is set up, you have to reboot the Virtual Appliance.

Insert a License Key

Except the evaluation version provided from our website, the virtual appliances are delivered without license. You normally receive this key via email. If that is not the case, please contact us via our contact web page.

For more information about licensing and how to install the license, please go to Licensing and Upgrades.

Access the Probe Interface

To log into the web interface, please go to Access Through a Web browser.

Please go to Licensing and Upgrades to verify your license.

Traffic Capture

First and foremost:

• The port mirroring should be activated on your switches (or TAP eventually).
• Connect the mirror destination port to the ESX server port dedicated for traffic capture.

We will now set the network in promiscuous mode.

In the following example, we are using an ESX server with 8 physical ports. It is necessary to add a virtual network for traffic monitoring.

1. Connect to vSphere Client.

2. On your ESX server, go to the Configuration tab.

3. Click on the Networking Menu on the left column.

4. Click on Add Networking. Select Virtual machine as Connection Types, then Click on Next.
   Then, on the Network Access Menu, select the ESX physical port dedicated to traffic capture and unselect the others. The ESX physical network will be bound to the new virtual network.

5. Click on Next.
   We can customize the new network label as Mirror here.

VLAN ID (optional) for VLAN tags:

0   : Disables VLAN tagging on port group
4095: Enables VLAN tagging on port group

6. Then, click on Next and Finish to complete the operation.

Set Up Promiscuous Parameters

The ESX server now manages 2 virtual networks.

The aim of the second vSwitch vSwitch1 is to show the flows in promiscuous mode.

To set up promiscuous mode on the Mirror Network:

1. Click on vSwitch1 Properties.
2. In the General tab, edit the MTU settings to 9000.
3. In the Security tabs, select Accept from the promiscuous mode listbox.

Add a Listening Network Card to Virtual Appliance

Here, we should add a listening network port in promiscuous mode.

1. Right-click the virtual appliance and choose Edit settings.
2. In the Hardware tab, click Add, then choose Ethernet adapter and click Next.
3. Attach the new Ethernet adapter to the network in promiscuous mode.
4. In the network connection listbox, choose the correct network configured above, then click Next.
5. Click Finish to complete the operation.

For more information, please refer to the Registering capture: sensor article.